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Abstract 


We  address  the  issue  of  endowing  a  logical  framework  with  a  logically  justified  notion  of  negation.  Logical 
frameworks  with  a  logic  programming  interpretation  such  as  hereditary  Harrop  formulae  cannot  directly 
express  negative  information,  although  negation  is  a  useful  specification  tool.  Since  negatiomas-failure  does 
not  fit  well  in  a  logical  framework,  especially  one  endowed  with  hypothetical  and  parametric  judgments,  we 
adapt  the  idea  of  elimination  of  negation  from  Horn  logic  to  a  fragment  of  higher-order  hereditary  Harrop 
formulae.  The  idea  is  to  replace  occurrences  of  negative  predicates  with  positive  ones  which  are  operationally 
equivalent.  This  entails  two  separate  phases. 

Complementing  terms^  i.e.  in  our  case  higher-order  patterns.  Due  the  presence  of  partially  applied  lambda 
terms,  intuitionistic  lambda  calculi  are  not  closed  under  complementation.  We  thus  develop  a  strict  lambda 
calculus,  where  we  can  directly  express  whether  a  function  depends  on  its  argument. 

Complementing  clauses.  This  can  be  seen  as  a  negation  normal  form  procedure  which  is  consistent  with 
intuitionistic  provability.  It  entails  finding  a  middle  ground  between  the  Closed  World  Assumption  usually 
associated  with  negation  and  the  Open  World  Assumption  typical  of  logical  frameworks.  As  this  is  in 
general  not  possible,  we  restrict  ourselves  to  a  fragment  in  which  clause  complementation  is  viable  and  that 
has  proven  to  be  expressive  enough  for  the  practice  of  logical  frameworks.  The  main  technical  idea  is  to 
isolate  a  set  of  programs  where  static  and  dynamic  clauses  do  not  overlap. 
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Chapter  1 

Introduction 


Suppose  we  are  giving  a  formal  definition  of  a  programming  language  in  the  style  of  natural  semantics 
[Kah87];  after  we  have  specified  the  abstract  syntax,  the  type  system  (e  :  r)  and  a  small  step  evaluation 
semantics  (e  ^  e'),  it  is  time  to  check  their  consistency  via  a  proof  of  type  soundness.  We  may  start 
by  attempting  the  Progress  lemma,  which  will  eventually  guarantee  that  well-typed  expressions  cannot  go 
wrong;  in  symbols,  this  could  go  like  this:  for  every  expressions  e  such  that  e  :  r  and  e  is  not  a  value, 
there  exists  an  expression  e'  such  that  e  m-  e'.  Now,  imagine  that  our  language  is  fairly  sophisticated 
and  our  funding  agency  requires  a  machine-checkable  verification  of  our  results.  Thus,  we  decide  to  use 
an  automated  reasoning  tool,  possibly  an  interactive  one.  A  proof  of  progress  is  a  rather  trivial  structural 
induction  for  a  human,  but  in  order  to  be  machine  checked,  it  needs  to  be  spelled  out  in  every  detail.  We 
may  have  implemented  judgments  defining  expressions,  values,  typing  and  evaluation:  but  what  about  the 
notion  of  not  being  a  value?  We  may  try  to  reason  in  a  strictly  intuitionistic  way  and  view  -^value{e)  as 
the  derivation  of  a  contradiction  X  from  the  assumption  value{e).  This  is  possible,  but  certainly  not  in  the 
spirit  of  the  proof;  -ivalue{e)  is  just  a  test,  a  way  to  sift  out  expressions  that  are  already  fully  evaluated. 
What  we  really  need  is  a  positive  (inductive)  definition  of  “not  being  a  value”,  say  nonvalue{e)\  indeed, 
this  should  be  possible,  since  non-values  are  exactly  those  expressions  which  are  not  values.  Nevertheless, 
manually  coding  this  notion  may  be  tedious  and  error-prone,  especially  considering  evolution  of  our  initial 
specification.  Moreover,  we  will  also  have  the  obligation  of  proving^  at  least  to  our  satisfaction,  that  the 
explicit  definition  of  ‘non-value’  coincides  with  the  negation  of  ‘value’.  Lacking  this,  our  formal  verification 
cannot  be  entirely  trusted. 

For  another  example  consider  a  simple  instance  of  reasoning  about  process  algebra,  such  as  Peterson’s 
algorithm  for  mutual  exclusion  [PetSl].  The  problem  here  is  to  ensure  that  two  processes  can  never  be 
simultaneously  in  their  critical  section.  A  process  can  be  in  several  (possibly  many)  states,  such  as  sleeping, 
trying,  critical;  a  transition  relation  describes  how  the  system  moves  from  a  state  to  another,  according 
to  whether  a  process  is  allowed  to  change  its  status.  Suppose  we  want  to  verify  some  property  of  the  system 
such  as  safety:  for  any  possible  sequence  of  transitions  if  the  initial  state  is  safe,  so  is  the  final  one.  Now, 
from  the  description  of  the  problem,  it  is  apparent  that  a  state  is  safe  if  both  process  are  not  in  their  critical 
section.  It  would  benefit  the  verification  attempt  to  have  a  positive  explicit  specification  of  being  a  safe 
state,  rather  than  working  with  an  implicit  negative  one.  Not  only  the  number  of  states  can  be  fairly  large, 
but  consider  the  natural  extension  of  the  same  problem  to  n-processes:  a  hand- written  positive  specification 
of  a  state  being  safe  can  be  incomplete  or  plain  wrong.  Again,  over  time,  the  number  of  states  will  increase 
or  possibly  decrease  and  the  safety  specification  needs  to  evolve  accordingly. 

The  bottom  line  is  that  negation  is  a  very  common  connective  in  a  specification  -  and  rightly  so,  since  it  is 
one  of  the  most  basic  logic  operators.  Formalizations  that  use  negation  are  often  sharper  and  more  concise. 
Nevertheless,  not  every  automated  reasoning  tool  available  nowadays  is  able  to  provide  an  appropriate 
handling  of  this  connective.  This  is  particularly  problematic  for  logical  frameworks  based  on  higher-order  logic 
or  type-theory  with  a  logic  programming  interpretation,  such  as  Twelf  [SP98]  and  AProlog  [NM88,  Mil89b]. 
While  the  latter  provide  a  very  advanced  unified  environment  for  the  specification,  implementation  and 
verification  of  deductive  systems,  they  inherit  the  traditional  problems  with  negation,  which  Prolog  has 
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struggled  with  since  its  inception.  These  problems  are  further  augmented  by  some  of  their  more  beneficial 
features;  namely  by  being  ‘higher-order’  and  being  based  on  intuitionistic  provability.  Those  characteristics 
are  the  main  key  elements  of  the  success  of  those  frameworks  and  should  be  preserved  under  every  extension. 
This  dissertation  presents  an  approach  to  endow  those  languages  with  a  logically  sound  notion  of  negation 
without  sacrifying  any  part  of  their  representation  power. 

1.1  Logical  Frameworks 

A  logical  framework  [PfeOOa]  is  a  meta-language  for  the  specification,  implementation  and  verification  of 
deductive  systems  and  their  meta-theory.  Deductive  systems  consist  of  axioms  and  rules  defining  derivable 
judgments;  they  can  be  used  to  specify  logics  and  aspects  of  programming  languages  such  as  operational 
semantics,  type  systems,  abstract  machines  and  compilation. 

Logical  frameworks  offer  a  bridge  between  the  success  of  declarative  programming  languages  (logic  and 
functional)  and  the  unsatisfactory  results  of  general  theorem  proving.  There  is  perhaps  a  reasonable  middle 
way  between  Poincare’s  derision  to  the  logicist  approach: 

“If  you  need  twenty-seven  equations  to  prove  that  1  is  a  natural  number,  how  many  will  you  need 
to  prove  a  real  theorem?”  ^ . 

and  Wos’  claim  to  have  solved  with  OTTER  real  mathematical  open  questions  (see  [WM91]  for  a  depressing 
list). 

Many  logical  framework  have  been  proposed  in  the  literature  (see  [PfeOOa]  for  an  overview)  and  many 
extensions  are  also  under  consideration.  However,  we  must  carefully  balance  the  benefits  that  any  proposed 
extension  can  bring  against  the  complications  its  meta- theory  would  incur.  We  have  two  main  issues  to 
consider: 

1.  It  is  been  argued  that  logical  frameworks  should  be  by  design  as  weak  as  possible  [dB91],  in  order  to: 

•  Simplify  proofs  of  adequacy  of  encodings. 

•  Allow  effective  checking  of  the  validity  of  derivations. 

•  Reduce  the  complexity  of  proof-search. 

•  Inherit  a  treatable  unification  problem. 

2.  At  the  same  time  logical  frameworks  must  provide  powerful  tools  to  support  the  design  process  of 
deductive  systems.  Experience  has  shown  that  the  strength  of  a  logical  framework  is  proportional  to 
the  ease  it  makes  encodings  simple  and  concise.  The  more  direct  is  the  encoding,  the  easier  is  to  reason 
about  it.  One  well  known  example  is  higher-order  abstract  syntax  [PE88],  which  moves  renaming  and 
substitution  principles  to  the  meta-language;  this  avoids  the  explicit  programming  and  proving  of  a 
large  series  of  low-level  results  about  those  trivial  but  ubiquitous  concepts.  Another  example  is  the 
reification  of  derivations  as  proof  terms  in  type-theoretic  languages,  which  reduces  run-time  check  for 
correctness  of  derivations  to  type-checking  in  the  meta-language. 

The  approach  taken  in  the  Twelf  project  is  a  “pay  as  you  go”  one.  In  other  words,  every  extension  is 
carefully  crafted  so  as  to  be  conservative  on  the  operational  and  declarative  semantics  of  the  core  language. 
Examples  are  the  linear  extension  [CP96]  or  refinement  types  [Pfe93]. 

1.2  Negation 

The  aim  of  this  thesis  is  to  develop  a  framework  for  the  synthesis  of  the  negation  of  logic  programs  in  logical 
frameworks  such  as  hereditary  Harrop  formulae  (HHF)  [MNPS91]  and  its  implementation  in  AProlog  [NM88]. 
We  intend  this  to  set  the  basis  for  type-theoretic  frameworks  such  as  LF  [HHP93]  and  its  implementation 
Twelf  [SP98]  and  possibly  their  linear  refinement  as  Lolli  [HM94]  and  LLF  [CP96].  This  approach  could 


^Les  dernieres  efforts  des  logiciens,  in  Science  et  Methode,  p.  193. 
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also  be  useful  for  (inuitionistic)  generic  theorem  proving  systems,  especially  ones  based  on  higher-order  logic 
or  type  theory  such  as  Isabelle  [Isa98]  and  Coq[DFH“^93]. 

Those  systems  (Isabelle  and  Coq  excluded)  do  not  provide  a  primitive  negation  operator.  Indeed,  con¬ 
structive  logics  usually  implement  negative  information  as  -lA  =  A  1,  where  _L  denotes  absurdity  and 
the  Duns  Scoto  Law  is  the  elimination  rule.  Thus  negative  predicates  have  no  special  status;  that  would 
correspond  to  explicitly  coding  negative  information  in  a  program,  which  is  entirely  consistent  with  the  pro¬ 
cedural  interpretation  of  hypothetical  judgments  available  in  logical  frameworks  with  a  logic  programming 
interpretation.  However,  this  would  not  only  significantly  complicate  goal-oriented  proof  search  (as  it  is 
manifested  in  the  difficulty  of  implementing,  for  example,  the  full  logic  of  Forum  [Mil94]),  but  providing 
negative  definitions  seems  to  be  particularly  error-prone,  repetitive  and  not  particularly  interesting;  more 
importantly,  in  a  logical  framework  we  have  also  to  fulfill  the  proof  obligation  that  the  proposed  negative 
definition  does  behave  as  the  complement  (of  its  positive  counterpart). 

Providing  a  viable  negation  operator  ha^  an  immediate  practical  relevance  in  programming  in  those 
languages,  since  it  relieves  the  user  from  the  burden  of  explicitly  encoding  negative  information  in  the  form 
of  clauses  which  express  the  condition  for  a  predicate  not  to  hold.  Automating  the  synthesis  of  negative 
information  has  not  only  a  clear  benefit  in  the  logic  programming  sense,  but  it  may  also  have  a  rather 
dramatic  effect  on  the  possibility  of  implementing  deductive  systems  that  would  prove  to  be  too  unwieldy 
to  deal  with  otherwise.  The  synthesis  of  the  negation  of  predicates  such  as  typable,  well-formed,  canonical 
form,  subsort,  value  etc.-as  well  as  Prolog-like  predicates  such  as  equality,  set  membership  and  the  like-will 
increase  the  amount  of  meta-theory  that  can  be  formalized. 

Of  course,  the  addition  of  negation  does  not  change  the  recursion-theoretic  expressive  power  of  a  language, 
but  we  claim  that  it  does  make  a  difference  at  the  representation  level.  To  bring  this  to  the  extreme, 
deductive  systems  can  be  expressed  eventually  in,  say,  first-order  Horn  logic  and  ideally  proved- checked  or 
even  demonstrated  by  a  resolution  theorem  prover  or  more  likely  by  an  interactive  one.  In  practice,  this  has 
turned  out  to  be  very  problematic,  if  not  a  total  failure;  hence  the  refinement  of  the  tools  to  higher-order 
logic  and  type-theory. 

Traditionally,  negation- as-failure  (NF)  [Cla78]  has  been  the  overwhelmingly  used  approach  in  logic  pro¬ 
gramming  (see  [AB94]  for  a  recent  survey):  that  is,  infer  -lA  if  every  proof  of  A  fails  finitely.  The  operational 
nature  of  this  rule  and  its  ultimately  troublesome  logical  status  is  a  serious  threat  to  the  logical  frameworks’ 
endeavor.  We  will  return  on  the  topic  of  why  NF  is  an  absolutely  inadequate  way  to  address  the  issues  of 
negation  in  a  such  a  framework  in  Section  1.4. 

While  the  topic  of  negation  has  been  pursued  to  the  extreme  in  first-order  logic  programming  (we  shall 
try  a  small  review  of  closely  related  approaches  in  Section  1.3),  the  field  is  almost  virgin  as  far  as  higher- 
order  logic  and  type  theory  is  concerned:  languages  such  as  AProlog  implement  NF  with  the  usual  cut-fail 
combination:  a  logical  reconstruction  for  the  first  order  fragment  has  been  attempted,  with  somewhat 
disappointing  results,  in  Harland’s  thesis  [Har91b]. 

Though  the  impetus  of  this  enterprise  may  seem  at  first  sight  mainly  pragmatic,  it  should  not  be  under¬ 
rated.  In  short,  we  are  trying  to  design  a  reasonable  notion  of  negation,  a  basic  building  block  of  any  logic 
under  severe  computational  constraints: 

“The  problem  is  difficult  because  it  seeks  a  notion  of  negation  which  is  simultaneously  semanti¬ 
cally  elegant  and  computationally  feasible:  in  both  execution  and  mathematical/ logical  semantics 
the  extended  language  should  cleanly  extend  the  definite  clause  language”  [JLLM91]. 

The  reason  why  NF  is  so  popular  in  the  logic  programming  paradigm  is  that  it  essentially  requires  no 
modification  to  the  search  structure  of  an  logic  programming  interpreter.  The  real  question  is  whether  it 
also  satisfies  the  other  aforementioned  criteria.  Nonetheless  this  is  just  a  part  of  it: 

“...  this  notion  [NF]  is  a  basic  logical  notion,  a  notion  of  value  to  pure  logic  (as  studied  since 
the  Ancient  Greeks)  of  equal  importance  and  theoretical  standing  as  notion  like  Possibility, 
Deduction,  Axiom  and  the  like.  The  role  of  negation  by  failure  in  logic  programming  in  only  a 
special  Cctse:  one  manifestation  of  its  role  in  logic”  [Gab91]. 

Our  answer  to  this  plea  will  be  to  show  that,  paradoxically,  the  best  way  to  deal  with  negation  in  the 
logic  programming  setting  is  to  eliminate  it  through  transformation. 
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It  is  a  basic  fact  of  classical  propositional  logic  that  connectives  are  inter-definable;  more  precisely,  a 
sufficiently  expressive  set  of  sentential  operators  can  provide,  by  definition,  the  missing  ones,  as  an  immediate 
consequence  of  their  truth-value  semantics.  It  is  therefore  customary  and  economically  convenient  to  assume 
as  primitive  only  this  basis  and  define  the  others  operators  in  terms  of  the  former.  In  almost  every  definition 
negation  is  taken  as  primitive,  paired  either  with  conjunction,  disjunction  or  implication;  even  those  more 
succinct  presentations  based  on  a  singleton  connective  as  nand  retain  an  implicit  flavor  of  negation. 

There  is  yet  another  way  to  address  negation  which  is  related  to  the  transformational  approach  we  are 
interested  in.  This  is  known  as  negation  normal  form  and  it  is  used  for  example  in  Tait’s  concise  proof 
of  cut-elimination  for  classical  logic.  For  every  atomic  predicate  symbol  p  we  also  have  a  symbol  denoting 
the  opposite,  say  p.  Then,  with  the  essential  usage  of  double  negation  elimination  and  De  Morgan’s  laws, 
negation  is  defined  as  follows: 


def 

=  P 

A  B)  *=  -1^4  V  “ijB 

“>(i4  V  B)  A  ->5 

Thus,  as  far  as  the  classical  propositional  structure  is  concerned,  negation  can  be  accomplished  simply  by 
renaming.  Consistency  is  then  achieved  by  adding  axioms  that  specifies  that  is  it  inconsistent  to  hold  both 
p  and  p,  namely  p  -jp  an  ^p  o  p. 

This  is  another  way  to  look  at  the  approach  to  negation  that  we  shall  investigate,  that  is  the  trans¬ 
formational  one,  also  known  as  intensional  negation,  initiated  in  [ST84]  and  developed  in  Pisa  for  Horn 
logic  [BMPT87,  BMPT90,  BLLM94].  Roughly,  given  a  clause  with  occurrences  of  negated  predicates,  say 
Q  ^  where  P  is  an  already  defined  atom,  the  aim  is  to  derive  a  positive  predicate,  say  n<yn.P, 

which  implements  the  complement  of  P,  preserving  operational  equivalence;  then,  it  is  merely  a  question  of 
replacement,  yielding  the  negation-less  clause  Q  ^  G,non.P,G^ .  This  has  the  neat  effect  that  negation  and 
its  problems  are  eliminated,  i.e.  we  avoid  any  extension  to  the  (meta)  language.  Technically,  we  can  achieve 
this  by  transforming  a  the  body  of  the  iff-completion  [Cla78]  of  a  Horn  program  into  negation  normal  form 
and  then  by  negating  atoms  via  complementing  terms,  a  problem  first  addressed  in  [LM87]  for  first-order 
terms.  To  mention  the  simplest  example  possible,  suppose  we  have  a  procedure  p  that  calls  somewhere  a 
check  for  a  number  not  to  be  even,  where  the  latter  is  already  defined: 

p{X)  ^  . . .  ->even{X) . . . 

et;en(0). 

even{${s{Y)))  i-  even{Y), 

The  goal  is  to  obtain  a  definition  for  p,  where  the  negative  occurrence  of  even(X)  is  replaced  by  a  positive 
call  to  its  complement,  say  non_even(X).  This  involves  the  synthesis  of  the  non.even  predicate  from  its 
positive  definition: 

p{X)  non.even(X) . . . 

non.even{s{0)). 

non-even{s{s{Y)))  ^  non^even{Y). 

Thus  where  is  our  contribution?  The  problem  is  that  this  does  not  carry  immediately  over  to  every 
computational  logics,  where  the  notion  of  negation  normal  form  may  be  in  itself  problematic.  The  issue 
was  not  apparent  in  the  existing  literature  because  of  the  identification  of  logic  programming  with  Horn 
programming.  For  accident  or  necessity  (though  we  now  lean  for  the  former)  Horn  logic  imposed  itself  as  the 
format  in  logic  programming.  Because  of  its  restricted  syntax  classical  and  intuitionistic  provability  coincide 
in  this  fragment.  This  entails  that  classical  equivalences  preserve  the  intended  operational  semantics  of  the 
source  program.  Thus  negation  normal  forms  do  work  here,  as  we  explain  in  Chapter  5 

Nevertheless,  this  approach  does  not  scale  immediately  to  more  expressive  languages.  Once  we  go  beyond 
Horn  logic,  the  intuitionistic  (or  ‘search-like’)  interpretation  becomes  crucial  to  ensure  the  existence  of  what 
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is  commonly  agreed  as  a  reasonable  interpreter  for  a  logic  programming  language.  Our  endeavor  can  be 
paraphrased  as  the  search  for  a  notion  of  negation  normal  form  for  a  significantly  fragment  of  higher-order 
intuit ionistic  logic  which  is  compatible  with  a  logic  programming  interpretation. 

It  must  be  remarked  that  the  issue  of  negation  in  constructivism  is  by  no  means  new,  but  it  has  been 
considered  by  many  problematic.  One  sticky  point  lies  in  the  Hey  ting  semantics  of  -lA,  seen  as  a  short  for 
A  1;  many  have  expressed  doubts  about  the  epistemological  status  of  a  construction  which  yields  the 
absurdum.  A  discussion  can  be  found  in  Wansing’s  monography  [Wan93].  Already  in  its  textbook  [Hey 56] 
Hey  ting  mentions  Griss’  attempt  to  formalize  a  notion  of  negation-less  mathematics.  The  most  well-known 
approach  to  marry  a  first-class  notion  of  negation  with  constructivism  is  Nelson’s  strong  negation  [Nel49]. 
As  we  will  argue  in  Section  5.3,  the  interaction  between  strong  negation  and  implication  is  inadequate  to 
support  the  operational  interpretation  of  HHF  we  are  interested  in. 

Additionally,  elimination  of  negation  does  not  scale  immediately  to  logical  frameworks  such  as  HHF,  for 
two  other  reasons: 

1.  The  simply-typed  A-calculus  is  not  closed  under  term  complement. 

2.  There  is  an  intrinsic  tension  between  the  Closed  World  Assumption  (CWA)  [Rei78],  which  is  asso¬ 
ciated  with  negation,  and  the  Open  World  Assumption  (OWA)  typical  of  languages  with  embedded 
implication. 

Differently  from  the  first-order  case,  the  complement  of  a  lambda  term  cannot,  in  general,  be  described  by 
a  pattern,  or  even  by  a  finite  set  of  patterns.  We  can  isolate  one  basic  difficulty:  a  pattern  such  as  Ax.  E  x 
for  an  existential  variable  E  matches  any  term  of  appropriate  type,  while  Ax.  E  matches  precisely  those 
terms  Ax.  M  where  M  does  not  depend  on  x.  The  complement  then  consists  of  all  terms  Ax.  M  such  that  M 
does  depend  on  x.  However,  this  set  cannot  be  described  by  a  pattern,  or  even  a  finite  set  of  patterns.  This 
formulation  of  the  problem  suggests  that  we  should  consider  a  calculus  with  an  internal  notion  of  strictness 
so  that  we  can  directly  express  that  a  term  must  depend  on  a  given  variable.  We  will  therefore  introduce  a 
strict  A-calculus  where  term  complement  in  the  simply  typed  A-calculus  can  be  embedded  and  performed. 

The  second  issue  is.  rooted  again  in  the  fundamental  difference  between  Horn  and  HHF  formulae:  as 
well  known,  a  Horn  predicate  definition  can  be  seen  as  an  inductive  definition  of  the  same  predicate.  The 
minimality  condition  of  inductive  definitions  excludes  anything  else  which  is  not  allowed  by  the  base  and  step 
case(s).  This  corresponds  in  Horn  logic  to  the  existence  of  the  least  model  and  to  the  consistency  of  the  CWA 
and  its  finitary  approximation,  the  completion  of  a  program  [Cla78]:  every  atom  which  is  not  provable  from  a 
program  is  assumed  to  be  false.  Languages  which  provide  embedded  implication  and  universal  quantification 
are  instead  open-ended  and  thus  require  the  OWA;  in  fact,  dynamic  assumptions  may,  at  run-time,  extend 
the  current  signature  and  program  in  a  totally  unpredictable  way.  This  makes  it  in  general  impossible  to 
talk  about  the  closure  of  such  a  program.  In  the  literature  (reviewed  in  detail  in  Section  5.5)  the  issue  has 
been  addressed  in  essentially  three  ways: 

1.  By  enforcing  a  strict  distinction  between  CWA  and  OWA  predicates  and  applying  NF  only  to  the 
former  [Har91b],  where  the  latter  would  require  minimal  negation,  as  in  [Mom92]. 

2.  By  switching  to  a  modal  logic,  which  is  able  to  take  into  account  arbitrary  extensions  of  the  program  as 
possible  worlds  (see  the  completion  construction  in  [G098]  for  N-Prolog  and  [Bon94]  for  Hypothetical 
Datalog). 

3.  By  embracing  the  idea  of  partiality  in  inductive  definitions  and  using  the  rule  of  definitional  reflection 
to  incorporate  a  proof- theoretical  notion  of  closure  analogous  to  the  completion  [SH93,  MM97]. 

None  of  those  approaches  are  satisfactory  for  our  purposes:  most  of  the  predicates  we  want  to  negate 
are  open-ended;  similarly,  definitional  reflection  is  not  well-behaved  (for  example  cut  is  not  eliminable)  for 
that  very  class  of  programs  we  are  interested  in.  Moreover,  we  need  to  express  the  negation  of  a  predicate 
in  the  same  language  where  the  predicate  is  formulated.  Our  solution  is  to  restrict  the  set  of  programs 
we  deem  deniable  in  a  novel  way,  so  as  to  enforce  a  Regular  Word  Assumption  (RWA):  we  define  a  class  of 
programs  whose  dynamic  assumptions  extend  the  current  database  in  a  specific  regular  way.  This  constitutes 
a  reasonable  middle  ground  between  the  CWA  which  allows  no  dynamic  assumption  but  is  amenable  to 
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negation  and  the  OWA,  where  assumptions  are  totally  unpredictable.  The  RWA  is  also  a  promising  tool 
in  the  study  of  the  meta-logical  frameworks  [SchOO].  Technically,  this  regularity  under  dynamic  extension 
is  calibrated  so  as  to  ensure  that  static  and  dynamic  clauses  never  overlap.  This  property  extends  to  the 
negative  program;  in  a  sense,  we  maintain  a  distinction  between  static  and  dynamic  information,  but  at  a 
much  finer  level,  i.e.  inside  the  definition  of  a  predicate.  The  resulting  fragment  is  very  rich,  as  it  captures 
the  essence  of  the  usage  of  hypothetical  and  parametric  judgments  in  a  logical  framework;  namely,  that  they 
are  intrinsically  combined  to  represent  scoping  constructs  in  the  object  language.  This  is  why  we  contend 
that  this  class  of  programs  is  adequate  for  the  practice  of  logical  frameworks. 

1.2.1  What  is  Failure  (in  a  Logical  Framework)? 

A  minimal  requirement  for  a  negation  operator  is  that  if  a  set  of  assumption  F  is  consistent,  it  is 
the  case  that  F  h  A  iff  not  F  i — >A.  It  is  a  key  issue  how  to  interpret  the  notion  of  non-existence  of  a 
proof.  In  the  logic  programming  tradition  this  has  been  identified  with  the  idea  of  finite  failure:  the  logic 
programming  interpreter  is  run  by  querying  a  given  program  V  with  a  goal  G;  the  halting  of  the  query 
without  a  derivation  is  evidence  enough  to  assert  the  negation  of  G.  This  idea  actually  traces  back  to 
the  same  principle  in  the  deductive  database  context,  where  the  decision  problem  has  a  positive  answer. 
Indeed,  in  this  setting,  the  Closed  World  Assumption  is  a  most  natural  one,  since,  given  the  large  number 
of  entries  in  a  database,  the  only  reasonable  way  to  encode  negation  is  by  absence.  The  transfer  of  this  idea 
to  full  logic  programming  [She85]  has  been  not  exactly  worry-free,  as  the  enormous  literature  on  the  subject 
testifies.  Luckily,  our  requirements  arc  somewhat  different  from  general  logic  programming;  in  fact,  in  a 
logical  framework,  negation  refers  not  to  finite  failure  but  to  unprovability  tout  court,  as  we  refrain  from 
negating  programs  whose  negation  is  not  recursively  axiomatizable:  the  adequacy  of  the  representation  will 
break  down,  since  there  would  be  functions  which  cannot  be  captured  by  the  framework.  We  will  therefore 
deal  only  with  terminating  programs;  this  is  why  we  identify  negation  with  a  complement  operation.  This 
restriction,  far  from  being  an  easy  way  out,  gives  us  the  additional  burden  to  prove  that  termination  is 
preserved  under  every  manipulation  of  programs. 

It  is  clear  that  elimination  of  negation  makes  sense  only  when  negation  is  stratified  [ABW88],  i.e.  the 
negative  predicates  ultimately  refers  (in  the  call  graph)  to  a  positive  one.  We  will  informally  adopt  the 
generally  accepted  weaker  notion  of  local  stratification  [AB94],  when  the  positive  dependency  relies  not 
simply  on  predicate  names,  but  on  ground  instantiations  of  literals.  While  there  may  be  a  place  in  logic 
programming  for  non-stratified  negation,  as  the  emerging  answer  set  programming  paradigm  [Lif99]  testifies, 
the  latter  seems  to  be  circumscribed  to  solving  mainly  combinatorial  problems.  This  does  not  seem  to  be  a 
concern  for  a  logical  framework. 

1.2.2  Which  Logical  Framework? 

In  this  dissertation  we  work  with  the  pattern  fragment  of  third-order  HHF;  thus  our  results  apply  to  the 
same  fragment  of  L\  [Mil91],  although  every  design  decision  has  been  influenced  by  the  possibility  to  extend 
it  to  the  richer  language  of  LF  and  to  its  implementation  in  Twelf  We  comment  on  this  in  the  conclusions 
(Chapter  7).  Twelf  can  be  seen  as  a  dependently- typed  CLP-oriented  enhancement  of  Lx.  Both  share 
unification  restricted  to  the  pattern  fragment,  as  well  as  the  lack  of  predicate  quantification.  For  convenience 
reasons  we  take  the  liberty  of  decorating  HHF  clauses  with  labels  that  can  be  thought  of  as  names.  This 
allows  us  to  be  more  concise  when  applying  program  transformations.  Even  though  they  resemble  the  same 
notation  in  Twelf  they  lack  any  intrinsic  meaning  and  will  not  be  used  as  proof-terms. 

Furthermore,  we  restrict  ourselves  to  HHF  without  local  variables.  If  we  look  in  the  usual  logic  program¬ 
ming  fashion  at  an  implicational  clause  as  a  rule  where  the  consequent  is  the  ‘head’  and  the  antecedent  the 
‘body’,  a  local  variable  is  an  essentially  existential  one  which  occurs  in  the  body  but  not  in  the  head.  This 
restriction  is  customary  in  the  literature  on  elimination  of  negation  [ST84,  MPRT90a].  For  example  the 
following  clause  for  typing  application  cannot  be  allowed,  in  this  format. 
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ofapp  :  'iEi,E2:exp,\/Ti,T2:tp, 
of  {app  El  E2)  T2 

<-  of  El  {arrow  Ti  T2) 

^  of  E2  Ti. 

The  problem  is  that  Horn  clauses  with  local  variables  are  already  not  closed  under  complementation;  in 
fact,  elimination  of  negation  will  transform  those  into  extensionally  universally  quantified  variables.  It  is 
a  whole  new  topic  to  give  an  operational  reading  of  universal  quantification  in  this  setting  and  to  mingle 
it  with  parametric  judgments.  It  is  our  feeling  that  the  issue  of  local  variables  during  complementation 
does  not  have  a  simple  general  solution.  Approaches  which  embrace  the  extensional  nature  of  universal 
quantification  brought  in  by  the  negation  of  existential  quantifiers  [BMPT90,  ABT90]  are  not  satisfactory 
and  robust  enough  to  carry  over  to  logical  frameworks  with  intensional  universal  quantification,  except  when 
dealing  with  finite  domains. 

While  it  is  well-known  that  every  computable  function  can  be  expressed  by  a  Horn  programs  without 
local  variables,  we  cannot  hide  that  this  is  a  somewhat  severe  restriction.  We  offer  some  ideas  on  how  to 
partially  overcome  it  in  the  conclusion  (Subsection  7.1,4). 

1.3  From  Theorem  Proving  to  Prolog 

A  legitimate  question  is  to  ask  is  why  logic  programming  does  not  have  a  primitive  notion  of  negation.  To 
understand  that,  we  need  to  say  something  on  how  logic  programming  and  Prolog  developed.  This  enterprise 
has  a  rather  peculiar  parabola;  logic  programming  owes  its  (relative)  success  to  the  way  it  limits  and  directs 
generic  theorem  proving;  from  then  on,  ironically,  most  of  the  effort  has  been  to  extend  its  boundaries 
without  falling  back  onto  full  clausal  logic. 

Automatic  theorem  proving,  or  at  least  the  intuition  (and  the  dream),  can  be  dated  back  to  Leibniz, 
but  become  more  of  a  reality  in  1965  when  Robinson  introduced  the  resolution  principle  [Rob65].  Briefiy,  it 
is  a  proof  procedure  which  proceeds  by  contradiction,  converting  a  sentence  to  clausal  form  and  testing  for 
inconsistency  with  a  version  of  Gentzen’s  cut-rule  augmented  with  unification.  Yet,  this  approach  has  been 
shown  to  be  in  general  in-practical.  A  great  deal  of  research  developed  after  Robinson’s  breakthrough  aimed 
at  restricting  the  search  space,  while  preserving  completeness.  This  is  not  the  place  to  give  even  a  short 
account  of  these  studies:  we  just  sketch  those  that  led  to  the  basis  of  Prolog  as  we  know  it;  for  references 
and  a  chronology  see  [Apt90],  When  building  a  refutation  there  are  basically  two  sources  of  choice: 

1.  Deciding  which  clauses  to  pick  as  parent  clauses, 

2.  Deciding  which  literals  in  those  clauses  are  to  be  resolved  away. 

One  way  to  support  the  first  restriction  is  linear  resolution,  independently  proposed  by  Loveland  and  Luckam 
in  1970,  which  by  fixing  one  goal  at  each  step,  never  needs  to  resolve  two  input  clauses  together.  As  far  as 
the  second  point  is  concerned,  we  may  decide,  after  Hill,  Kowalski  and  Kuehner,  to  fix  the  literal  to  resolve 
in  the  center  clause  (’linear  resolution  with  selection  function’).  Though  we  have  narrowed  the  search  space 
considerably,  there  is  still  a  fair  amount  of  choice,  namely  conjunctive  choice  in  the  side  clauses,  ancestors 
tracking  and  factoring.  The  winning  strategy  is  to  restrict  the  syntax  of  the  clauses  themselves;  the  choice 
fell  on  Horn  clauses:  definite  clauses  (that  is  clauses  with  exactly  one  positive  literal)  are  interpreted  as  input 
ones,  while  Horn  clauses  with  empty  positive  part  are  taken  as  goals.  Eventually  we  have  arrived  at  pure 
Prolog  or  5LD -resolution. 

What  has  ^LD-resolution  to  do  with  programming?  The  answer  can  be  found  in  the  so-called  procedural 
interpretation  of  Horn  logic.  Although  the  origins  of  Prolog  are  shrouded  in  mystery,  it  is  known  that  in 
1972  both  Kowalski  and  Colmerauer  came  up  with  the  idea  that  (a  subset  of)  logic  could  be  used  as  a 
programming  language.  A  definite  clause  A  ^  81,82, ...  ,Bn  can  be  viewed  as  a  definition  of  an  Algol-like 
procedure: 
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procedure  A 
begin 

call  Bi 
call  B2 

call  Bn 

end 

Goal  invocation  corresponds  to  procedure  invocation,  and  the  ordering  of  the  goals  in  the  body  of  the  invoked 
clause  corresponds  to  sequencing  of  statements.  In  logic  programs  data  manipulation  is  entirely  achieved 
by  means  of  unification,  which  encompasses  parameter  passing,  multiple  assignment,  record  allocation,  data 
construction  and  selection. 

In  spite  of  its  limits,  it  can  be  shown  that  Horn  logic  has  the  same  computational  power  of  every  other 
programming  language  [Apt90].  Moreover,  Horn  logic  has  some  nice  model-theoretic  properties,  namely  the 
minimum  model  property;  it  is  natural  to  consider  the  latter  as  the  declarative  meaning  or  the  intended 
interpretation  of  a  program.  Therefore  it  has  been  argued  that  we  should  be  content  with  Horn  logic,  which 
seems  to  be  a  complete  and  reasonably  efficient  computational  logic.  However,  many  have  been  dissatisfied 
with  the  difficulty  to  express  even  the  easiest  logical  problems  in  a  language  that  lacks  (explicit)  disjunction 
and  negation.  We  share  this  complaint  up  to  a  certain  point.  We  maintain  the  logic  programming  works  as 
far  as  the  logical  and  the  algorithmic  parts  do  not  differ  too  much,  and  that  Kowalski’s  motto  “Programs 
=  Logic  +  Control”  has  shown  its  intrinsic  limitations.  Yet,  we  strongly  share  the  idea  that  especially  from 
a  programming  point  of  view  it  would  be  advisable  to  have  the  possibility  of  performing  negative  queries 
and  overall  to  have  a  negation  operator  in  the  body  of  clauses  instead  of  simulating  it  with  extra-logical 
constructions,  which  make  programs  less  understandable  and  declarative.  It  is  not  a  question  of  expressive 
power,  it  is  a  matter  of  style  and  convenience. 

There  are  three  ways,  in  order  of  increasing  complexity,  to  add  negation  to  Horn  logic: 

•  Negative  atomic  queries. 

•  Negative  literals  in  clauses  bodies. 

•  Negative  heads. 

It  is  not  possible  to  try  to  review  all  the  proposed  extensions;  historically  much  of  the  attention  has  been 
concentrated  on  incorporating  NF]  from  that,  most  of  first-order  expressivity  is  recovered  [LT84]. 

1.4  Negation-as-Failure 

Since  negative  information  is  independent  from  definite  programs,  a  specialized  inference  rule  must  be 
invoked:  negation  as  failure  (NF)^  which  in  logic  programming,  originated  from  the  confluence  of  two 
quite  different  trends  of  research:  the  refinements  of  resolution  based  automatic  proof  procedures  and  the 
relational  approach  to  databases.  For  a  nice  introduction  see  [She88,  AB94].  The  idea  of  a  proof  under  the 
NF  rule  is  a  natural  one:  suppose  you  have  a  set  of  axioms  and  some  kind  of  inference  mechanism  which 
produces  a  recursively  enumerable  set  of  theorems,  and  that  you  are  asked  to  verify  the  truth  of  a  negative 
conjecture  -->C  under  NF;  then  you  try  to  prove  C  from  your  theory;  if  you  succeed,  then  does  not  hold, 
while  if  you  realize  (in  a  finite  time)  that  C  is  not  provable,  then  you  are  entitled  to  assert  that  ->(7  holds. 
Its  basic  idea  is  to  state  that  a  goal  is  false  if  we  are  able  to  prove  that  it  cannot  be  proved  by  the  program. 
Actually,  NF  is  more  a  computational  than  a  logical  notion;  we  answer  ‘no’  to  a  goal  because  our  attempt 
to  say  ‘yes’  failed,  so  we  say  ‘no’  because  we  cannot  say  ‘yes;.  Differently  from  other  kind  of  negation,  NF 
“. . .  does  not  follow  from  some  constructive  knowledge,  but  from  lack  of  knowledge”  ((Gab91]  pp.  8).  That 
motivates  its  intrinsic  non-monotonicity:  in  fact,  in  dynamic  databases  every  enlargement  may  cause  the 
meaning  of  failure  to  change  and  so  turn  success  into  failure. 

In  logic  programming,  NF  works  this  way: 
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”...  The  basic  idea  is  to  use  5TjD-resolution  augmented  by  the  NF  rule.  When  a  positive  literal 
is  selected,  we  use  essentially  5LD-derivation  to  derive  a  new  goal.  However,  when  a  ground 
negative  literal  is  selected,  the  goal  answering  process  is  entered  recursively  in  order  to  try  to 
establish  the  negative  subgoal  . . .  Having  selected  ground  negative  literal  in  some  goal,  an 
attempt  is  made  to  construct  a  finitely  failed  SLDNF  tree  with  root  ^  A  before  continuing  with 
the  remainder  of  the  computation.  If  such  a  tree  is  constructed,  then  the  subgoal  -lA  succeeds. 
Otherwise,  if  a  SLDNF -refutation  is  found  for  -lA,  then  the  subgoal  fails  ...”  ([Llo93]  p.  87), 

The  operational  nature  of  this  rule  motivates  the  lack  of  a  unique  semantics  and  some  of  its  related  trou¬ 
blesome  features:  to  begin  with,  possible  unsoundness:  without  run-time  checks  on  the  substitution  returned 
by  a  negative  open  query,  the  final  answer  substitution  may  not  be  a  logical  consequence  of  the  program. 
This  is  the  so-called  “floundering”  phenomenon,  the  undecidable  question  of  whether  the  computation  will 
reach  a  negative  open  query  and  abort.  Soundness  is  preserved  only  for  ground  queries;  the  flip  side  of  the 
medal  is  that  now  negation  is  not  a  first-class  connective,  but  just  a  test  that  cannot  return  substitutions. 
We  review  in  Section  1.5.1  how  and  with  what  computational  cost  this  can  be  avoided.  And  of  course,  NF 
is  in  general  incomplete  in  general  logic  programming. 

All  of  the  above  makes  NF  a  suspicious  candidate  for  a  negation  operator  in  any  logic  programming 
language,  but  the  situation  is  even  worse  in  logical  frameworks.  Even  if  we  manage  to  isolate  a  well-behaved 
logical  fragment,  such  as  acyclic  normal  programs  [AB90],  allowing  NF  in  a  logical  framework  carries  some 
additional  problems.  First,  the  meta-theory  becomes  really  unwieldy,  as  both  provability  and  unprovability 
must  now  be  taken  into  account.  The  two  systems  would  be  interlinked  by  rules  such  as: 


T\/F 

- '  —  i?-h 

T\-^F 


T\-F 

- '  —  R— 

T\/^F 


where  1/  denotes  a  proof  system  for  finite  failure.  In  a  type-theoretic  logical  frameworkthis  issue  is  further 
exacerbated  by  the  need  to  deliver  evidence  of  what  a  proof  of  a  certain  judgment  is.  The  most  popular  way, 
since  the  Automath  project  [dB80],  is  to  to  see  derivations  as  lambda  terms  inhabiting  judgments  seen  as 
types.  Although  it  is  in  principle  possible  to  associate  proof-terms  to  a  derivation  by  negation- as-failure  - 
this  is  implicit  in  the  denial  proof  system  that  we  present  in  Chapter  6,  Figure  6.1  and  6.2  -  the  existence  of 
(unique)  canonical  forms  is  in  general  impossible  to  achieve;  and  this  is  pretty  much  a  death  sentence  for  NF. 
In  fact,  in  frameworks  with  hypothetical  judgments,  as  recognized  first  by  Gabbay  [Gab85],  the  unrestricted 
combination  of  NF  and  embedded  implication  is  particularly  problematic,  since  it  leads  to  the  failure  of 
basic  logic  principles  such  as  cut-elimination.  We  discuss  this  issue  in  details  in  Section  5.5. 

At  the  user  level,  the  presence  of  NF  in  a  logical  framework  would  make  adequacy  theorems  more  difficult 
to  establish,  again  because  both  provability  and  unprovability  now  need  to  be  considered. 

In  summary  the  adoption  of  NF  in  a  logical  framework  seems  to  be  a  very  risky,  if  not  hopeless  road, 
considering  its  fragility  already  in  the  very  simple  setting  of  Horn  clauses. 


1.5  Extending  Horn  Logic 

As  previously  mentioned,  once  Horn  logic  was  isolated  as  the  core  of  a  programming  language,  a  fairly 
disorderly  race  was  off  to  get  more  mileage  out  of  Prolog.  To  sum  up,  we  can  isolate  several  (slightly 
overlapping)  positions: 

•  The  “tories”:  for  model-theoretic  reasons,  Horn  logic  is  the  best  possible  world,  see  the  manifest  “Why 
Horn  logic  matters  in  computer  science”  [Mak87]. 

•  The  “realists”,  guided  by  Apt:  logic  programming  is  Horn  logic  with  NF  :  what’s  left  to  do  is  logicize 
the  impure  features  of  Prolog. 

•  The  “Making  Prolog  more  expressive”  people:  divided  in  two  main  intertwined  sub-tribes:  the  “lo¬ 
gicians”,  which  claim  that  programming  in  Horn  logic  is  like  living  with  one  hand  tied  behind  your 
back,  and  the  “compilers”  (see  Sato  and  Tamaki.  [TS84]:  those  come  from  the  specification  approach 
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and  look  at  Horn  logic  as  a  implementation  language  which  is  the  target  of  a  long  and  tiresome  travel 
through  derivation  and/or  transformations  from  first-order  logic.  For  the  logicians,  it  is  a  must  to  con¬ 
quer  any  piece  of  land  outside  Horn  logic,  say  by  adding  connectives  [PG86],  pre-compilation  [LT84], 
change  of  interpreters  (say  connection  graphs  [GR87])  or,  more  reasonably,  switching  from  classical 
logic  to  fragments  in  the  intuitionistic  galaxy,  reviewed  in  Section  5.5. 

•  Finally,  there  is  the  proof-theoretic  approach  of  uniform  proofs:  new  connectives  are  allowed  only  if 
we  can  ascribe  a  clear  meaning  in  term  of  search  and  provide  a  way  of  endowing  logic  programming 
in  a  purely  logical  way  with  features  such  as  modules,  data  abstraction  and  scoping  typical  of  other 
mature  languages. 

We  now  concentrate  on  how  recent  research  has  tried  to  address  some  of  the  problems  connected  with 
NK 


1,5.1  Constructive  Negation 

Constructive  Negation  is  an  attempt  to  devise  methods  capable  to  provide  logically  justified  answers  to 
non-ground  negative  queries,  in  analogy  with  the  witnessing  property  of  constructive  logics.  Formally,  for 
a  suitable  derivability  relation,  this  property  ensures  that  from  h  3x-^p{x)  we  can  infer  the  existence  of  a 
term  t.such  that  I — p{t).  We  can  roughly  distinguish  two  approaches: 

i.  Program  Transformation:  [ST84],  [FRTW88],  [BMPT90]. 

ii.  Negation  by  Constraints:  [Wal87]  for  Datalog  programs,  [Cha88]  [Cha89]  and  extended  to  CLP  in 
[Stu95];  Fail  Substitutions:  [She89]  [MN89]. 

Historically,  the  original  attempt  to  deal  with  the  issue  was  simply  to  try  avoiding  the  floundering 
phenomenon:  given  that  the  latter  is  in  general  undecidable,  one  possibility  is  to  try  to  make  sure  that  when 
a  negative  literal  is  called  it  has  already  been  grounded:  there  are  basically  three  possibilities: 

1.  Satisfy  the  syntactic,  though  very  restrictive,  conditions  on  allowed  computations  [She85],  which  es¬ 
sentially  reduces  evaluation  to  ground  evaluation. 

2.  Try  to  achieve  grounding  by  delaying  as  in  [MJNU-Prolog  [Nai86]  or  Sicstus  [AAB"^95],  where  a  goal 
may  be  declared  to  be  “frozen”  and  is  evaluated  only  when  it  reaches  a  sufficient  degree  of  instantiation. 
This  is  obviously  only  a  partial  solution,  since  at  run-time  there  is  no  guarantee  to  eventually  ground 
the  problematic  query.  A  more  complex  and  historically  less  successful  alternative  is  offered  by  the 
computation  rules  of  IC-Prolog,  which  allow  the  computation  of  negative  open  queries  if  their  positive 
counterpart  does  not  bound  any  variable  (see  [Nai86],  for  a  comprehensive  analysis  and  references). 

3.  Covering  the  open  negative  query  with  a  generator  of  values  for  the  relevant  variables.  This  is  further 
detailed  next. 

Static  Approaches 

If  we  are  dealing  with  Datalog  programs,  i.e.  with  finite  Herbrand  Universe  {Up),  the  naive  approach  would 
be  to  instantiate  all  the  rules  with  potentially  troublesome  goal  with  terms  from  Up  [ABW88],  say  through 
propagation  in  every  negative  literal  in  the  program.  This  is  clearly  infeasible,  since  it  may  result  in  an 
intractable  numbers  of  rules,  especially  in  an  untyped  setting. 

A  sophistication  of  this  idea  can  be  found  in  [FRTW88]:  the  proposal  is  to  automatically  infer  a  ‘type’ 
for  the  problematic  variables  and  transform  the  original  program  into  one  where  grounding  is  ensured  by 
coverage  from  those  types.  Then  useless  answers  originating  from  general  instantiation  would  be  excluded 
by  the  typing  discipline.  Although  it  can  be  shown  that  the  new  program  is  equivalent  to  the  old  one,  this 
cannot  be  extended  to  full  Prolog:  function  symbols  make  the  type  infinite  and  non-ground  facts  would 
undermine  the  instantiation  capability  of  the  type. 

Finally,  the  transformation  approach  falls  in  this  category  and  is  detailed  in  Chapter  5. 
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Dynamic  Approaches 

Chan  [Cha88]  is  acknowledged  to  be  the  inventor  of  the  term  ’constructive’  negation  in  this  area;  his  approach 
can  be  roughly  characterized  as  mixing  NF  with  a  constraints-solving  attitude.  In  essence  it  consists  in 
evaluating  a  negative  goal  by  executing  its  positive  version  and  by  negating  the  answer  obtained.  As  in  the 
CLP  family  of  languages,  unification  and  disunification  are  kept  explicit  and  returned  as  solutions.  Of  course, 
we  need  to  keep  the  (in)  equalities  in  normal  form  and  there  are  some  obvious  problems  when  dealing  with 
computations  that  have  infinite  answers;  those  are  addressed  in  a  following  paper  ([Cha89]),  by  quantifying 
over  the  answer  substitutions.  No  proof  of  completeness  is  offered.  We  can  offer  the  following  rational 
reconstruction:  the  key  observation  is  that  if  G  is  a  goal  and  we  consider  the  answer  substitutions  0i,  ...,0n  as 
equations,  G  3(0i  V. . .  V^n)  is  a  logical  consequence  of  the  completed  database.  Therefore  the  constructive 
negation  rule  is  simply  ^  V ...  V  ^n),  where  the  right-hand  side  can  be  simplified  by  disunification. 
For  instance  given  the  query  not{even{X)),  its  positive  version  yields  the  answer  A  =  0  VBY  :  A  =  s(s(y)), 
whose  negation  is  A  ^  0  A  VF  :  X  ^  s(s(}')):  its  solved  form  is  hence  X  —  5(0),  which  we  can  regard  as  a 
more  informative  refinement  of  the  answer  constructive  negation  produces. 

A  generalization  to  constraint  logic  programming  over  arbitrary  structures  is  given  in  [Stu95];  it  turns 
out  to  be  sound  and  complete  w.r.t.  the  three-valued  models  of  the  completion.  Other  development  of 
constructive  negation  are  addressed  in  [Fag97]. 

{E)SLDNF  —  S  ([She89])  The  finite  failure  case  in  the  definition  of  SLDNF-resolntion  is  modified  as 
follows:  a  goal  (F,  *~iA)  has  a  descendent  ^F,  if  there  is  a  finitely  failed-tree  for  OA^  where  dom{6)  €  FV{A). 
So  NF  can  instantiate  under  success,  i.e.  negative  goals  may  directly  return  substitutions:  given  P  and  G 
the  aim  is  to  look  for  a  (fail)  substitution  9  such  that  P  h  OG  has  a  finitely  failed  tree;  then  by  the  soundness 
of  the  NF  rule  'i6->G  is  a  consequence  of  comp{P)  and  thus  9  is  an  answer  substitution  for  the  query  -iG. 
This  seems  very  costly,  since  it  entails  enumerating  (guessing)  every  fail  substitution.  I  am  not  aware  of  any 
implementation  of  this  proposal. 

This  is  refined  in  [MN89],  where  it  is  shown  how  to  avoid  to  generate  all  possible  substitutions  in  lieu 
of  a  maximal  general  fail  substitution.  Moreover,  the  improvement  w.r.t.  Chan’s  work  lies  in  the  feature  of 
always  including  some  positive  bindings  for  the  variable  in  the  negated  goal.  If  the  SLD-tvee  is  infinite,  the 
method  enumerates  the  set  of  fail  substitutions;  this  corresponds  to  the  fact  that  in  general  negative  queries 
cannot  be  represented  by  finite  positive  information  alone  (connected  to  [LM87]). 

1.5.2  Non- Failure  Driven  Negation 

During  the  years  ways  of  incorporating  other  more  logical  forms  of  negation  than  NF  have  appeared.  Since 
most  of  the  time  this  gives  back  full  non  clausal-logic,  most  of  them  are  cataloged  as  automated  theorem 
provers.  In  all  these  accounts,  negative  information  has  to  be  provided  explicitly  and  specific  rules  are  offered 
to  deal  with  that.  Sometimes  it  is  possible  to  mix  “open  world”  and  “closed  world”  predicates  safely.  For  a 
more  detailed  account  and  bibliography,  let  me  refer  to  [Mom92]. 

•  N(Q)Prolog  [GR84],  a  complete  implementation  of  positive  intuitionistic  logic.  By  defining  disjunction 
classically  and  allowing  a  restart  rule  (see  nH  Prolog  next),  Gabbay  shows  it  to  be  complete  for  full 
classical  logic  as  well. 

•  Negation  as  Inconsistency  ([GS86]).  Here  we  evaluate  a  query  against  an  ordered  pair  (P,  N)^  where  P 
is  a  Horn  program  and  N  a  set  of  queries  that  are  required  not  to  succeed;  this  is  logically  equivalent 
to  adding  to  the  program  the  negation  of  all  the  members  of  iV,  and  permits  importing  negative  facts 
and  rules.  Both  systems  have  a  very  awkward  first-order  version. 

•  Stickel’s  PTTP,  supplements  5LD-resolution  with  the  model  elimination  rule.  This  entails  keeping 
track  of  the  ancestors  of  the  goal,  loosing  one  of  the  key  feature  of  Prolog,  namely  input  resolution. 

•  Loveland’s  nH  Prolog  [RL92]  incorporates  case  analysis  in  5LD-resolution,  by  demanding  the  invo¬ 
cation  of  a  restart  rule  for  every  disjunctive  head,  until  the  stack  of  the  former.  Without  requiring 
contrapositives  (as  in  PTTP),  it  simulates  case  analysis  with  different  runs  of  essentially  the  Pro¬ 
log  engine.  Unfortunately  naive  nH-Prolog  is  incomplete  and  the  new  versions  {Progressive  nH  and 
Inheritance  nH)  have  a  less  natural  and  convincing  description. 
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•  Another  extension  goes  under  the  name  of  disjunctive  logic  programming  (see  [LMR92]  and  references 
therein).  It  aims  to  deal  with  full  clausal  logic  by  generalizing  Horn  clauses  to  disjunctive  heads. 

1.5.3  Proof-Theoretic  Approaches  to  Negation  and  NF 

In  the  90’s  there  has  been  an  attempt  to  tie  LP  to  proof-theory,  where  it  belongs:  and  this  has  brought  new 
insights,  particularly  on  NF, 

The  first  step  is  to  view  Horn  clauses  positively  as  rules  and  goals  as  existentially  closed  conjunctions 
of  atoms  to  be  proved  by  the  former.  Historically  this  can  probably  be  dated  back  to  Gabbay  and  Reyle 
[GR84].  It  is  customary  [HSH90]  to  distinguish  among  two  approaches: 

1.  Clauses  as  axioms  (programs  as  theories)  and  some  form  of  Gentzen  sequent  calculus  to  infer  goals, 
i.e.  uniform  proofs  systems. 

2.  Clauses  as  rules  [HSH90]:  Horn  (and  beyond)  programs  should  be  seen  as  set  of  inference  rules  for  the 
derivation  of  (not  necessarily  ground)  atoms. 

This  has  the  following  relation  with  negation: 

1.  Minimal,  intuitionistic  and  classical  negation  can  be  superimposed  over  uniform  proofs  [Mil89c],  [Har9Ia], 
[Mom92]:  Minimal  negation,  being  camouflaged  implication,  is  executed  through  the  AUGMENT  and 
backchain  operations;  the  evaluation  of  consists  in  the  assumption  of  D  and  in  the  attempt  to  prove 
1  from  the  enlarged  theory.  The  Duns  Scoto  Law  and  Reductio  ad  Absurdum  for  atoms  formalize  the 
latter,  preserving  the  feature  of  abstract  logic  programming  languages  [MNPS9I]. 

2.  GCLA  [MAK9I]  is  based  on  the  rule-based  definitional  approach  to  logic  programming:  it  has  in¬ 
tuitionistic  negation  built-in,  applying  the  definiens  operator  to  the  left-hand  side  of  a  sequent.  A 
discussion  can  be  found  in  Section  5.5.4. 

Stark  [Sta92]  has  given  a  sequent  calculus  reconstruction  of  NF  using  Clark’s  equality  and  freeness  axioms, 
negation  (switch)  rule  and  cut  rules.  Much  more  is  however  contained  in  Stark’s  thesis  and  subsequent 
research,  although  not  directly  applicable  to  our  goals;  to  quote  a  few,  he  shows  that  a  sequent  is  provable 
in  this  calculus  iff  it  is  true  in  all  3-valued  model  of  the  completion.  Furthermore  a  completeness  result  is 
proved  w.r.t  SLDNF-iesolntxon  for  program  satisfying  the  cut-property. 

1.5.4  Outline 

This  dissertation  is  organized  in  two  main  parts  which  address: 

•  The  relative  complement  problem  for  higher-order  patterns. 

•  Clause  complementation  for  a  fragment  of  third-order  Hereditary  Harrop  formulae. 

We  start  in  Chapter  2  by  introducing  the  relative  complement  problem;  we  review  the  existing  solutions 
to  the  first-order  case  in  the  literature,  namely  a  variant  of  Lassez  &  Marriot’s  original  uncover  algorithm 
[LM87]  (Section  2.1)  and  disunification  [Com9I]  (Section  2.2).  We  then  discuss  in  Section  2.4  the  problems 
connected  to  extending  those  idea  to  the  higher-order  case,  where  we  notice  the  fundamental  difference 
between  fully  and  partially  applied  terms.  For  the  latter  fragment,  the  simply- typed  A  calculus  is  not  closed 
under  term  complement.  We  remedy  this  by  introducing  the  strict  A-calculus  in  Chapter  3.  We  develop 
the  system  and  mention  the  existence  of  canonical  forms.  Once  we  have  a  calculus  strong  enough  to  deal 
with  partially  applied  terms.  Section  4.1  introduces  a  restriction  of  the  language  (“simple  terms”)  for  which 
complementation  is  possible.  The  algorithm  for  negation  is  presented  in  Section  4.2;  in  Section  4.3  we  give 
a  unification  algorithm  for  the  same  fragment.  This  completes  our  solution  to  the  relative  complement 
problems  for  higher-order  patterns.  We  conclude  this  chapter  in  Section  4.4  by  showing  how  to  organize 
finite  sets  of  simple  terms  into  a  boolean  algebra.  We  end  up  this  part  of  the  dissertation  reviewing  related 
work  on  strictness  (Section  3.3). 
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Chapter  5  sets  the  stage  for  clause  complementation.  First,  in  Section  5.1,  we  offer  a  reconstruction  of 
the  transformational  approach  to  negation  in  the  Horn  case.  Then  in  Section  5.2  and  5.3  we  give  an  informal 
view  of  the  complement  algorithm  for  HHF  and  of  the  restrictions  it  requires  by  means  of  examples.  In 
Section  5.4  we  try  to  motivate  the  pragmatic  adequacy  of  the  fragment  of  HHF  we  deal  with,  while  Section 

5.5  reviews  the  state  of  the  art  in  NF  and  intuitionistic  provability. 

Chapter  6  is  the  heart  of  the  thesis;  we  first  introduce  the  source  language  and  its  uniform  proofs  system 
in  Section  6.1.  We  then  establish  the  fundamental  notion  of  context  schema  (Section  6.2).  This  allows  to 
enforce  the  Regular  World  Assumption  (RWA),  on  which  clause  complementation  is  built.  After  formalizing 
the  restriction  to  terminating  programs  in  Section  6.3,  we  present  the  clause  complementation  algorithm  and 
the  related  notion  of  augmentation  (Section  6.5  and  6.6).  We  then  prove  the  main  theorem  (Section  6.7  and 
6.8).  Finally,  Section  6.9  discusses  how  to  give  an  operational  semantics  to  our  language. 

We  conclude  the  dissertation  in  Chapter  7  by  discussing  first  how  to  lift  some  of  the  current  restrictions 
(Section  7.1);  then  we  address  possible  extensions,  implementation  issues  and  further  future  work  (Section 
7.2,  7.3  and  7.4). 

1.6  Contributions  and  Technical  Acknowledgments 

The  original  contribution  of  the  thesis  are: 

•  A  relative  complement  algorithm  for  higher-order  patterns  internalized  into  a  strict  type  theory. 

•  A  complement  algorithm  for  a  useful  class  of  third-order  hereditary  Harrop  formulae. 

We  contend  that  our  approach  is  the  first  one  to  give  a  realistic  analysis  of  negation  in  logical  frameworks 
with  an  emphasis  on  the  development  of  a  practical  tool  to  incorporate  this  operator  in  existing  languages. 

This  work  has  benefited  enormously  from  the  large  ensemble  of  research  collected  in  the  Elf  and  offspring 
projects:  not  only  form  the  existence  of  this  language  and  environment,  but  also  from  specific  contributions 
which  we  have  used  (in  a  somewhat  simplified  setting)  in  this  thesis.  Let  me  mention  only  the  most  recent 
ones:  schema  contexts  (Schurmann  [SchOO]),  linear  unification  (Cervesato  and  Pfenning  [CP96]),  subordina¬ 
tion  (Virga  [Vir99]),  mode  and  termination  analysis  (Rohwedder  and  Pfenning  [RP96]). 

This  research  has  been  financially  supported  for  seven  semesters  by  the  Department  of  Philosophy  at 
CMU  and  by  a  one-year  scholarship  from  “Consiglio  Nazionale  delle  Ricerche”,  Italy. 


Chapter  2 

The  Relative  Complement  Problem 


An  open  term  ^  in  a  given  signature  can  be  seen  as  the  intensional  representation  of  the  set  of  its  ground 
instances,  say  l|tl|.  According  to  this  interpretation,  the  complement  of  t  is  the  set  of  ground  terms  which  are 
not  instances  of  t,  i.e.  are  in  the  set-theoretic  complement  of  ||t||.  It  is  natural  to  generalize  this  to  the  notion 
of  relative  complement;  this  corresponds  to  computing  a  suitable  representation  of  all  the  ground  instances 
of  a  given  (finite)  set  of  terms  which  are  not  instances  of  another  given  one,  in  symbols: 

IIr,!,...,  Urn  || 

where  dots  represent  (set  theoretic)  union^  More  properly: 

i=l 

Let  FV{ti, . , ,  ^tn)  =  ^  disjoint  from  FV{ui, . . .  ^Um)  =  Then  the  relative  complement  problem  can 
be  also  expressed  by  the  following  (restricted)  form  of  equational  problem  [Com91],  where  the  Zi's  are  free 
variables. 

n  m 

3x^y  :  f\zi  =  ti  A  f\zi^Ui 
1=1 

Example  2.1  Consider  the  signature  containing  the  usual  declarations  for  0,  s,  -I-.  The  following  rules  define 
integer  addition  modulo  2. 


s(s(0))  ^  0 

1/  +  0  I — >  y 
0  +  y  I — ^  y 
y  +  y  < — ^  0 

The  following  relative  complement  problem  expresses  the  question  of  sufficient  completeness  (in  this  case 
yielding  a  positive  answer)  of  the  reunite  rules: 

||a;i  +2:211  -  l|s(s(0)),0 +  »/,?/  + 0,2/ +  1/11 

which  corresponds  to: 

32:1X2 Vy  :{z  =  xi+  X2)  A{z  ^  s(s(0)))  A  {z  ^  y  +  0)  A  {z  ^  0  +  y)  A  {z  ^  y  +  y) 

Then,  since  a  variable  stands  for  the  universe  of  discourse,  a  complement  problem  is  representable  merely 
by: 

_  Ikll  -  l|ui,---,Wm|| 

^Another  equivalent  notation  found  in  the  literature  is  V  •  •  •  V  tn  \  V  •  •  •  V  Um  [LM87],  or  a  mixture  of  the  two. 
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or  a  simpler  (3-degeiierate)  equational  problem: 

m 

Now  we  turn  to  review  solutions  to  the  relative  complement  problem  in  first-order  languages. 

2.1  The  Not  Algorithm 

We  start  with  the  ‘Not’  algorithm  for  first-order  terms  that  specializes  the  prototypical  uncover  algorithm 
proposed  in  [LM87]  as  a  first  attempt  to  solve  the  the  problem  and  is  at  the  heart  of  Barbuti  et  al.’s  approach 
[BMPT90],  We  present  it  in  a  many-sorted  framework,  differently  from  the  uni-sorted  original  version.  We 
call  (in  this  chapter)  a  term  linear  if  it  does  not  contain  repeated  occurrences  of  a  free  variable. 

Definition  2.2  Consider  a  many-sorted  signature  E  and  a  linear  term  t  of  type  r.  We  define  Not(t)  by 
structural  induction,'  where  we  suppose  that  ti  has  sort  Ti  and  the  z^s  are  new  free  variables  of  appropriate 
typing: 

Not(2:  :  r)  =0 
Not(/(Q  :  t)  = 

:  T  I  s  €  Not(ii),l  <  in) 

The  uni-sorted  version  of  this  function  tends  to  produce  a  lot  of  irrelevant  outcomes.  For  example, 
Not(cons(s(a;),m/))  does  not  yield  only  the  desired  {nil,cons{Q,nil),cons{y,c(ms[z,xs))]  in  the  informal 
signature  of  lists  of  numerals  but  also  {0,  s(a:), . . On  the  other  hand,  fixing 

E  =  {0  :  nat,  nil :  nlist,  s  :  not  not,  cons  :  nat  *  nlist  nlist} 

we  get  the  desired  result.  This  problem  may  tend  to  increase  dramatically  with  the  size  of  the  signature.  It 
can  be  argued  that  the  notion  of  complementation  itself  without  an  underlying  type  discipline  makes  little 
sense,  not  only  from  a  complexity  standpoint,  but  also  in  intellectual  terms.  Moreover,  more  refined  type 
theories,  as  dependent  types  and/or  sub-typing  will  further  constrain  the  result  of  the  evaluation  of  Not. 

A  complement  operator  must  satisfy  the  following  desiderata: 

1.  Exclusivity:  it  is  not  the  case  that  s  is  both  a  ground  instance  of  t  and  of  Not(i). 

2.  Exhaustivity:  s  is  a  ground  instance  of  t  or  s  is  a  ground  instance  of  Not(i), 

That  is,  the  Not  algorithm  ought  to  behave  as  a  the  complement  operation  on  sets  of  ground  terms. 
This  cannot  be  achieved  in  all  generality.  In  other  words,  intensional  representations  of  terms  are  not  closed 
under  complementation.  One  canonical  example  is  as  follows: 

Example  2.3  Consider  the  signature  {a  \  i,  f  :  {i  *  i)  i}:  intuitively  the  complement  of  f{y,y)  should  be: 

Ikll  -  ll/(y.J/)ll  =  {a}l>{fix,z)\xjt  z} 

Instead,  the  Not  algorithm  would  incorrectly  yield: 

Not(/(y,y))  =  {a} 

In  fact,  Lassez  &  Marriot  [LM87]  have  been  the  first  to  point  out  that  this  complement  algorithm  is  correct 
only  for  linear  terms:  complement  of  non-linear  ones  do  not  have  a  straightforward  finite  representation. 
More  sophisticated  representation,  such  as  constrained  terms  [Com88]  have  been  investigated,  but  are  not 
suitable  to  our  applications. 

Moreover,  as  well  known,  the  restriction  to  linearity  seems  to  be  almost  immaterial  in  logic  programming 
thanks  to  the  idea  of  left-linearization  introduced  by  Plaisted  and  used  first  by  Stickel  [Sti88]  to  avoid 
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unnecessary  occur  checks  testing.  It  simply  consists  of  a  source-to-source  transformation  which  replaces 
repeated  occurrence  of  the  same  variable  in  a  clause  head  with  new  variables  which  are  then  constrained  in 
the  body  by  a  new  predicate,  say  eg,  whose  definition  is  simply  eq{x^x)]  unification  will  then  provide  the 
other  properties  of  equality.  For  example,  continuing  Example  2.3,  a  clause  such  as  Vy  ^piy^y)  ^  G  would 
be  replaced  by  ,p{zi,Z2)  eq{zi,Z2)  AG.  As  a  matter  of  fact,  this  approach  is  less  innocent  than 

it  looks  at  first  sight,  since  it  opens  the  road  to  a  CLP  attitude;  moreover,  eq  as  a  predicate  is  not  linear 
in  itself  and  required  an  ad  hoc  treatment  in  the  transformational  approach  to  negation  [BMPT90].  Miller 
[Mil89a]  has  shown  how  to  automatically  infer  the  equality  predicate  (the  copy  clause,  in  his  terminology 
)  for  any  type.  However,  for  any  order  higher  than  the  first,  this  clauses  are  not  Horn  and  their  negation 
is  itself  problematic.  One  of  the  result  in  this  dissertation  is  to  apply  elimination  of  negation  to  predicates 
such  as  copy. 

Once  we  have  a  way  to  solve  complement  problems,  it  is  e^lsy  to  pair  it  to  intersection,  seen  as  unification 
[Plo71],  to  have  a  solution  to  relative  complements  as  well,  i.e. 

Il^ill  -  =  ||ti||n||Not(Mi)||n...n||Not(u„j)ll 

Another  more  general  approach  is  possible.  As  we  have  seen  in  the  beginning,  it  is  possible  to  express  the 
(relative)  complement  problem  on  terms  as  an  equational  problem.  This  is  the  basis  to  solve  complement 
problems  with  disunification,  as  we  sketch  next. 

2.2  Disunification 

Disunification  is  devoted  to  solving  arbitrary  first  order  formulae  whose  only  predicate  symbol  is  equality,  call 
them  equational  formulae.  The  definition  of  what  a  solution  is  differs  on  the  application  at  hand.  We  may  be 
interested  only  in  the  overall  validity  or  in  the  possible  assignments  that  make  the  formula  valid.  As  we  have 
seen,  complement  problems  can  be  seen  as  systems  of  dis-equations  with  universally  quantified  variables. 
Thus  a  disunification  algorithm  (over  first-order  terms)  will  solve  these  problems,  possibly  providing  values 
for  free  variables. 

From  an  historic  perspective  this  field  became  defined  when  it  was  realized  by  Martelli  &  Montanari 
[MM82],  if  not  by  Herbrand  (see  the  Appendix  in  [Sny91])  that  first-order  unification  can  be  seen  as  a  set  of 
transformations  on  sets  of  equations.  On  the  other  hand  the  work  of  Mal’cev  [Mal71]  on  the  decidability  and 
the  possibility  to  give  complete  axiomatization  of  the  theory  of  equational  algebras  qualifies  as  an  ancestor. 
The  definition  of  Prolog-II  introduced  first-class  dis-equations.  Indeed  Colmerauer  [Col84]  showed  them  to 
have  solutions  in  the  algebra  of  rational  trees.  Next,  Lassez  &  Marriot  [LM87]  proposed  the  seminal  (although 
awkward)  uncover  algorithm  for  computing  relative  complements.  Kirchner  and  Lescanne  first  unified  those 
previous  papers  in  the  framework  of  equational  problems  and  proposed  a  set  of  transformational  rules, 
though  without  a  completeness  proof  [KL87].  Maher  introduced  the  unification  community  to  Mal’cev’s 
results  [Mah88].  Comon  and  Lescanne  were  the  first  one  to  present  an  adequate  set  of  rules  [Com88,  CL89] 
and  the  former  surveyed  the  field  [Com91]. 

How  to  go  on  to  derive  a  disunification  procedure  can  vary  from  the  syntax  and  semantics  we  are  concerned 
with,  but  nevertheless  it  entails  the  following  steps: 

•  Provide  a  set  of  axioms  T  that  hold  in  the  model  we  consider. 

•  Design  a  set  of  rules  IZ  for  the  transformation  of  equational  formulae  that  can  be  proven  correct  w.r.t. 
T. 

•  Design  a  control  C  on  IZ  such  that  the  application  of  rules  satisfying  C  terminates:  irreducible  formulae 
are  in  solved  form  and  have  the  same  set  of  solutions  2is  the  original  problem. 

•  If  arbitrary  formulae  are  allowed  and  solved  forms  are  trivially  decidable,  this  entails  the  decidability 
and  completeness  of  T. 

The  simplest  example  is  unification  of  finite  (first-order)  terms: 
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In  rule  R  w  ^  Var{t),  in  E,  P  contains  a  (dis) equation  with  LHS  w  and  RHS  u,  where  the  latter  is  not  a 
variable  and  contains  a  universally  quantified  variable. 

Figure  2.1:  Some  disunification  rules 


•  T  is  Clark’s  free  equality  theory  [Cla78]. 

•  IZ  are,  say,  the  Martelli-Montanari  rules;  correctness  corresponds  to  the  preservation  of  solutions  under 
rule  application. 

•  Solved  forms  yield  idempotent  substitutions  and  control  restricts  the  application  of  variable  elimination. 
Completeness  (of  the  theory)  is  established  for  example  as  in  [Mah88]. 

The  disunification  rewrite  rules  are  divided  into  three  big  classes: 

•  Equality  rules,  i.e.  rules  which  are  correct  for  any  equational  algebra 

•  Rules  for  finite  trees  over  any  signature 

•  Rules  for  finite  trees  over  a  finite  signature. 

We  will  not  present  the  complete  set  of  rules  with  logical  provisos  and  control.  We  just  mention  that 
the  first  group  contains  Replacement,  Universal  Quantifier  Elimination,  Existential  Quantifier  Elimination 
and  Elimination  of  Disjunctions.  The  second  batch  contain  Clash,  Decomposition,  Occur  check.  The  third 
section  would  contain  rules  which  are  sensitive  to  the  cardinality  of  the  signature.  Here  we  mention  only  the 
Explosion  rule  (E),  which  is  motivated  by  the  domain  closure  axiom  (DCA)  [MMP88].  We  list  in  Figure  2.1 
the  rules  relevant  to  the  following  example  in  their  barest  form,  i.e.  with  only  soundness  and  no  termination 
condition: 

We  now  give  an  example  of  disunification  on  the  numerals  signature,  which  is  required  in  the  synthesis 
of  the  odd  program  (see  Figure  5.1).  It  consists  in  solving: 

V?/ :  z  ^  0  A  z  ^  s{s{y))  (2.1) 

The  intuitive  solution  of  (2.1)  is  z  =  s(0).  We  will  use  the  rules  in  Figure  2.1  and  gloss  over  normalization 
steps  as  well  as  elimination  of  trivial  (dis) equations.  Branches  stemming  from  the  explosion  rule  are  numbered 
and  pursued  separately  (keeping  in  mind  that  they  form  a  disjunction,  i.e.  a  finitely  branching  tree  from 
a  search  standpoint).  R{x)  denote  application  of  the  rule  R  on  variable  x.  The  computation  is  traced  in 
Figure  2.2. 

Note  that  disunification  nicely  overcomes  the  difference  between  Zmear  and  non-linear  terms  with  different 
notions  of  solved  forms,  namely  unification  solved  form  versus  solved  form  with  dis-equations  [Com91]. 
This  may  be  interpreted  as  evidence  of  the  opportunity  of  rephrasing  unrestricted  relative  complements 
as  disunification  problems.  We,  on  the  other  hand,  maintain  that  this  approach  is  unnecessarily  general 
for  this  purpose.  Implementing  disunification  entails  managing  the  non-deterministic  application  of  a  few 
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\/y:z:^0Az^  s{s{y)) 

' - ^E{z](1,2) 


'Ml  (2) 


^Clh(F) 


s 


' - 

'  ^!bec,C;/i(T) 

' - ^E(i)(2.1,2.2) 


^Clh{T) 


z  =  s(0) 


^ M\  (x),Deci 

'^UEi(y)  B 


(1)  Vt/  :  2  7^  0  A  z  s{s{y))  A  z  =  0 
Vy  :  0  7^  0  A  0  7^  ^(^(2/))  A  z  =  0 

(2)  BxVy  \  z  /\z  t\z  —  5(0:) 

3xVy  :  5(x)  7^  0  A  s{x)  7^  s{s{y))  A  z  =  s{x) 
3xVy  :  x  7^  s(y)  A  z  =  5(x) 

(2.1)  3xVy  :  x  7^  s{y)  A  z  =  s(x)  A  x  =  0 
3xVy  :  0  7^  s(y)  A  z  =  s(0)  A  x  —  0 

(2.2)  3xixVy  :  x  7^  s(y)  A  z  =  <s(x)  A  x  =  5(x)i 
3xixVy  :  Xi  7^  y  A  z  =  5(x)  A  x  ==  5(x)i 


Figure  2.2:  Computation  of  Vy  :  z  7^  0  A  z  7^  5(s(y)) 


dozen  rules  which  eventually  turns  a  given  problem  into  a  solved  form.  Though  a  reduction  to  a  significant 
subset  of  the  disunification  rules  as  the  one  depicted  in  Figure  2.1  is  likely  to  be  attainable  for  complement 
problems,  control  is  a  major  problem.  Moreover  the  higher-order  case  results  in  additional  complications, 
such  as  restrictions  on  the  occurrences  of  bound  variables,  which  fall  outside  an  otherwise  clean  framework. 
As  we  show  in  this  dissertation,  this  must  not  necessarily  be  the  case.  We  believe  that  our  techniques  for 
the  higher-order  case  can  also  be  applied  to  analyze  disunification,  although  we  have  not  investigated  this 
possibility  at  present. 


2.3  Other  Applications 

Complement  problems  and  elimination  of  negation  are  not  restricted  to  logic  programming,  but  have  some 
other  relevant  application  in  theoretical  computer  science.  Let  me  refer  to  [JLLM91]  and  [Com91]  for  issues 
impossible  to  detail  here  and  for  complete  references. 

In  fact,  complement  problems  and  variants  of  the  uncover  algorithm  [LM87]  as  a  first  attempt  to  solve 
the  former,  have  been  studied  and  tentatively  applied  in  several  ways: 

•  In  functional  programming,  to  determine,  modulo  pattern  matching,  whether  the  program  clauses 
describing  a  function  are  exhaustive  and  disjoint,  even  further  to  produce  a  non-ambiguous  set  of 
patterns.  Moreover,  it  is  possible  to  take  advantage  of  the  given  sequential  application  of  the  rules  to 
provide  an  improved  compiled  code.  Indeed,  if,  say,  the  second  rule  applies,  it  means  the  first  one  does 
not:  hence  the  terms  reducible  by  the  second  rule  are  in  the  complement  of  the  LHS  of  the  first. 

•  The  connection  of  complementation  to  the  notion  of  ground  reducibility  in  term  rewriting  systems  makes 
it  a  candidate  as  a  checker  for  sufficient  completeness  [GH78]  of  an  algebraic  (equational)  specification. 
If  the  latter  fails  to  be  complete,  the  transformation  rules  my  lead  to  recover  the  missing  cases — hence 
the  motto  in  [Thi84]: 

“Stop  losing  sleep  over  incomplete  specifications” 
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Here  we  are  looking  for  counter-examples:  if  a  function  is  not  sufficiently  complete,  there  is  a  term, 
built  from  the  constructors  in  the  signature,  which  is  different  from  any  LHS,  thus  irreducible  (see 
Example  2.1). 

•  In  term  rewriting  systems  describing  infinite  transition  systems,  the  complement  of  a  LHS  returns 
the  states  from  which  no  transition  is  achievable,  providing  thusly  a  tool  for  the  temporal  analysis  of 
communicating  processes. 

•  In  machine  learning,  a  concept  can  be  captured  by  a  term  with  some  (finite)  exceptions:  the  com¬ 
putation  of  this  structure,  which  is  a  relative  complement,  coincides  with  the  search  for  an  explicit 
representation  of  the  cited  concept. 

•  Finally,  applications  to  inductive  theorem  proving  under  the  slogan  induction-less  induction  or  proof 
by  consistency  [Com98]  are  under  scrutiny.  This  is  connected  to  the  idea  of  the  so-called  inductive 
reducibility  property. 

We  now  switch  gears  and  discuss  the  extension  of  the  relative  complement  problem  to  the  higher-order 
case;  as  usual,  we  restrict  ourselves  to  a  specific  class  of  A-terms. 

2.4  Complementing  Higher-Order  Patterns 

In  most  functional  and  logic  programming  languages  the  notion  of  a  pattern,  together  with  the  requisite 
algorithms  for  matching  or  unification,  play  an  important  role  in  the  operational  semantics.  And,  of  course, 
patterns  form  the  left-hand  sides  of  rewrite  rules  and  are  thus  critical  to  the  study  of  rewrite  systems.  Con¬ 
sequently,  analysis  of  the  structure  of  patterns  is  an  important  task  in  the  implementation  of  programming 
languages  and  more  abstract  studies  of  rewriting  systems  and  their  properties. 

Perhaps  the  most  fundamental  problems  are  matching  and  unification,  but  other  questions  such  as  gener¬ 
alization  also  arise  frequently.  Here,  we  are  concerned  with  the  problem  of  pattern  complement  in  a  setting 
were  patterns  may  contain  binding  operators,  so-called  higher-order  patterns  [MilQl,  Nip91].  A  term  possibly 
containing  some  existential  variables  is  called  a  pattern  if  each  occurrence  of  an  existential  variable  has  the 
form  E  xi . .  ,Xn,  where  the  arguments  xi  are  distinct  occurrences  of  free  or  bound  variables  (but  not  existen¬ 
tial  variables).  Higher-order  patterns  have  found  applications  in  logic  programming  [Mil91,  Pfe91a,  MP93], 
logical  frameworks  [DPS97],  term  rewriting  [Nip93],  and  functional  logic  programming  [HP96].  Higher-order 
patterns  inherit  many  pleasant  properties  from  the  first-order  case.  In  particular,  most  general  unifiers  [Mil91] 
and  least  general  generalizations  [Pfe91b]  exist,  even  for  complex  type  theories. 

In  this  section  we  discuss  some  of  the  preliminary  issues  towards  a  generalization  to  the  complement 
algorithm  to  higher-order  patterns.  We  assume  the  following: 

•  All  terms  are  linear,  i.e.  existential  variables  occurs  only  once. 

•  Types  do  not  contain  occurrences  of  the  primitive  type  o.  We  thus  complement  only  terms  with  no 
inner  logical  structure. 

The  main  difference  w.r.t.  the  first-order  case  is  twofold:  first,  the  second-order  (relative)  complement 
problem  is  not  semi-decidable,  but  higher-order  disunification  on  higher-order  patterns  is  decidable  [Lug94], 

Secondly,  as  we  will  see,  the  class  of  patterns  is  not  closed  under  complement,  although  a  special  subclass 
is.  We  call  a  canonical  pattern  T  \-  M  :  A  fully  applied  if  each  occurrence  of  an  existential  variable  E  under 
binders  yi, . . .  ji/m  is  applied  to  some  permutation  of  the  variables  in  F  and  yi, . . .  ,ym-  This  is  formally 
defined  in  Figure  2.3.  Fully  applied  patterns  play  an  important  role  in  functional  logic  programming  and 
rewriting  [HP96]  because  any  fully  applied  existential  variable  T  \-  E  xi . .  .Xn  denotes  all  canonical  terms 
with  free  variables  from  F.  It  is  this  property  which  makes  complementation  particularly  simple.  In  fact,  the 
main  difference  with  the  first-order  case  is  that  we  need  to  carefully  keep  track  of  bound  variables:  those  are 
collected  in  a  context  F,  so  that  the  complement  of  a  rigid  term  is  taken  w.r.t.  both  the  signature  and  the 
current  context.  In  the  case  the  term  is  not  fully  applied,  the  complement  has  to  take  into  account  whether 
some  of  the  variables  mentioned  in  a  lambda  binder  do  appear  in  the  matrix;  we  discuss  this  in  the  next 
Section  2.5.  We  first  analyze  the  simpler  case. 
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y„  =  dom(r) 


•  FaPat 


T,x:A\-^M  f.a. 


r  E  yn  f.a.  T\~j:Xx:A.M  f.a. 

/i  €  r  U  E  Th^Ni  f.a.  •  •  •  T  hs  iVn  f.a. 


Th-EhNn  f.a. 


FaLam 


FaApp 


Figure  2.3:  M  is  a  fully  applied  pattern:  F  l-s  M  f.a. 

The  language  of  the  simply- typed  A-calculus  is  as  follows,  where  we  use  a  for  atomic  types  (different  from 
the  type  of  proposition  o),  c  for  term-level  constants,  and  x  for  term-level  variables,  while  h  will  stand  for  a 
constant  or  a  variable. 


Simple  Types  A 
Terms  M 
Signatures  E 
Contexts  T 


a  \  Ai  A2 

c\x\  Xx:A.  M  \  Ml  Mo 
•  I  E,a:type  |  L^c:A 
•|r,x:A 


We  require  that  signatures  and  contexts  declare  each  constant  or  variable  at  most  once  so  that,  for 
example,  when  we  write  T,x:A,  x  may  not  already  be  declared  in  F.  Furthermore,  we  identify  contexts 
which  differ  only  in  their  order,  in  other  words,  contexts  are  treated  as  sets  of  declarations  for  distinct 
variables.  We  promote  to  denote  disjoint  set  union.  As  usual  we  identify  terms  which  differ  only  in  the 
names  of  their  bound  variables.  We  restrict  attention  to  well-typed  terms,  omitting  the  standard  typing 
rules. 

In  applications  such  a  logic  programming  or  logical  frameworks.  A- abstraction  is  used  to  represent  binding 
operators  in  some  object  language.  In  such  a  situation  the  most  normal  forms  are  long  /377-normal  forms 
(which  we  call  canonical  forms),  since  the  canonical  forms  are  almost  always  the  terms  in  bijective  corre¬ 
spondence  with  the  objects  we  are  trying  to  represent.  Every  well- typed  term  in  the  simply- typed  A-calculus 
has  a  unique  canonical  form^a  property  which  persists  in  the  strict  A-calculus  introduced  in  Chapter  3.  See 
that  chapter  for  further  discussion  and  an  inductive  definition  of  canonical  forms. 

We  denote  existential  variables  of  type  A  (also  called  logical  variables,  meta- variables,  or  pattern  vari¬ 
ables)  by  Ea,  although  we  mostly  omit  the  type  A  when  it  is  clear  from  the  context.  We  think  of  existential 
variables  as  syntactically  distinct  from  bound  variables  or  free  variables  declared  in  a  context. 

Semantically,  an  existential  variable  Ea  stands  for  all  canonical  terms  M  of  type  A  in  the  empty  context 
with  respect  to  a  given  signature.  We  extend  this  to  arbitrary  well-typed  terms  in  the  usual  way,  and  write 
||M||  for  the  set  of  canonical  ground  instances  of  a  term  M  possibly  containing  existential  variables  (formally 
defined  in  Figure  4.2).  In  this  setting,  unification  of  two  patterns  corresponds  to  an  intersection  of  the  set 
of  terms  they  denote  [Mil91,  Pfe91b].  This  set  is  always  either  empty,  or  can  be  expressed  again  as  the  set 
of  instances  of  a  single  pattern.  That  is,  patterns  admit  most  general  unifiers. 

We  now  introduce  the  generalization  of  the  Not  algorithm  to  the  fully-applied  case: 

Definition  2.4  (Fully  applied  higher-order  pattern  complement)  Fix  a  signature  E.  For  a  fully  ap¬ 
plied  higher-order  linear  pattern  in  canonical  form  M,  define  F  h  Not(M  :  A)  as: 

F  h  Not(E  x^  :  a)  =0 

F  h  Not(/i  Ml . . .  Mjn  :  a)  =  diffi^{h  :  Am  ^  a)  U 

{h  (Zi  D  . . .  (Z,_1  T)  N  {Zi+i  T) . . .  (Zm  r)  I 
N  eT  \-  Not(M2  :  Ai),  1  <i  <  m} 

F  b  Not(Ax:AM  :  A B)  =  {Xx:A.N\  N  e{T,x:A\-  Not(M  :  ^))} 

where  m  >0,  (Z  F)  denotes  that  a  fresh  variable  Z  of  appropriate  typing  may  depend  on  variables  in  dom{T) 
and 


diffrih  :  Am  ^  a)  =  {g  {Zi  F) ...  {Z„  T)  \  g  £  Y,ur, g  :  An a, n  >  0,h  ^  g} 
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Note  that  the  definition  makes  an  essential  use  of  the  fact  that  M  is  canonical  and  thus  its  matrix  has  atomic 
type  a. 

Remark  2.5  For  h  G  PU  E,r  H  Not(h  :  a)  =  diffi^{h  :  a). 

Proof:  Consider  the  0-ary  application  case.  □ 

We  will  suppress  mention  of  the  type  in  P  I-  Not(M  :  A)  when  it  can  be  inferred  from  the  context. 
Example  2.6  Consider  the  untyped  X-calculu^ . 


e  : 

:=  X  1  Ax.  e  1  ei  62 

We  encode  these  expressions  using  the  usual  techniques  of  higher-order  abstract  syntax  (see,  for  example, 
[MP91])  as  canonical  forms  over  the  following  signature  S/am- 

exp 

type 

lam 

{exp  -t  exp)  ->  exp 

app 

exp  exp  ->  exp 

The  representation  function  is  given  by: 

=  X  :  exp 

^Ax.  e"^ 

=  lam  {Xxiexp.^e'^) 

=  app  *~ei"*  '"62"' 

As  usual  with  higher^order  abstract  syntax  [PE88]j  we  identify  the  name  of  (bound)  variables  in  both  lan¬ 
guages.  The  adequacy  of  the  encoding  bijectively  relates  a-equivalence  classes  of  object-level  terms  with 
Pt]- equivalence  classes  at  the  meta-level  Now,  suppose  we  want  to  negate  the  identity  predicate  on  unary 
function  types: 

id{Xx:exp.  x). 

The  intuitive  answer  is  as  follows: 

^id{Xx:exp.app  {Ei  x){E2  x)). 

-^id{Xx:exp.lam  {Xyiexp.  {E  x  y)). 

This  follows  from  the  computation  of  •  h  Not(Ax:e:rp.  x); 

•  h  Not(Ax:exp.x)  =  {Xxiexp.Z  \  Z  G  {x:exp\-  Not(x))} 

=  {Xxiexp.Z  \  Z  e  diff^,^^p{x:exp))} 

=  [Xxiexp.Z  I  Z  €  [app  {Eix){E2x),lam  {Xyiexp.{E  x  j/))}} 

=  {Xx: exp.  app  {Ei  x){E2  x),Xx:exp.lam  {Xy.  {E  x  y))} 

For  another  illustration,  consider  the  representation  of  an  object-language  0-redex: 

*"(Ax.e)  f^  =  app  {lam  {Xxiexp.^e'^)) 

where  '"e"'  my  have  free  occurrences  of  x.  When  written  as  a  pattern  with  variables  Eexp^exp  o>'^^d  F^xp 
ranging  over  closed  terms,  this  is  expressed  as  app  {lam  (Ax: exp.  {E  x))  F).  Consider  the  predicate: 

betardx{app  {lam  {Xx:exp,E  x))  F). 

The  complement  of  the  arguments  in  the  empty  context  contains  every  top-level  X-abstraction  plus  every 
application  where  the  first  argument  is  not  an  abstraction: 

•  h  Not(app  {lam  {Xx:exp.  {E  x))  F))  =  {lam  {Xxiexp.  Z  x),app  {app  Zi  Z2)  Z^} 

^We  use  A  for  lambda  abstraction  in  the  object-calculus,  not  to  be  confused  with  A  in  the  meta-language. 
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Thus  the  negation  of  the  betardx  predicate  is: 

-ibetardx{lam  {Xxiexp.Z  x)). 

-^betardx{app  (app  Zi  Z2)  Z3). 

If  the  term  to  complement  is  complex,  we  need  to  call  the  Not  algorithm  recursively  as  many  times  as 
its  depth.  Let  us  see  another  slightly  more  complicated  example. 


Example  2.7  Consider  the  signature  of  numerals  and  the  problem  ■  h  Not(A/:n  n,  f  0). 


•  h  Not(A/  :n  — n.  /  0) 


{A/:n  n.  Z  \  Z  e  {f  :n  n  \-  Not(/  0))} 

{A/:n  ->  n.  Z  I  Z  G  diff^{f)  U  {/  Z'  |  Z^  G  (/ :n  n  h  Not(O))}} 

{A/:n  -^n.ZlZe  {0,s{Z:  /)}  1)  {f  Z' \  N' e  {/(Z2  f),s{Nz  /)}} 
{A/:n->n.0,A/:n-^n.s(Zi  f),  Xf -.n  ^  n. /{/{Z^  /)),  A/. /(s(Z3  /))} 


2.5  Partially  Applied  Terms 

Consider  a  predicate  on  the  signature  E/am  true  if  a  unary  (object-level)  function  '”Ax.e'’  does  not  depend 
on  its  argument.  This  can  be  encoded  using  a  pattern  variable  Eexp  which  does  not  depend  on  x. 

vacous{Xx:exp,  E).  (2.2) 

Intuitively,  the  complement  should  be  a  predicate,  say  strict,  true  when  the  function  does  use  its  arguments. 
Note  that  there  is  no  finite  set  of  patterns  which  has  as  its  ground  instances  exactly  those  terms  M  which 
depend  on  a  given  variable  x.  One  way  to  express  it  is  as  follows: 

strict{Xx:exp.  x). 
strict{Xx:exp.  app  {Ei  x){E2  x)) 
strict{Xx:exp.  El  x). 
strict{Xx:exp.app  (Ei  x){E2  x)) 

<-  strict{Xx:exp.  E2  x). 
strict{Xx:exp.lam  {Xy:exp.{E  x  y))) 

<r-  {\fz:exp.  strict{Xx:exp,  {E  x  z))). 

Hence  the  complement  of  a  fact,  whose  arguments  are  partially  applied  patterns,  may  lead  to  possibly 
hypothetical  and  parametric  clauses. 

Example  2.8  The  encoding  of  an  p-redex  takes  the  form: 

'"Ax.ex"'  =  lam{Xx:exp.app  x) 

where  '”e"’  may  contain  no  free  occurrence  of  x.  The  side  condition  is  again  expressed  in  a  pattern  by 
introducing  an  existential  variable  Eexp  which  does  not  depend  on  x,  that  is  lam{Xx  :  exp,  {app  E)  x). 
Hence^  its  complement  with  respect  to  the  empty  context  should  contain,  among  others,  also  all  terms 

lam  {Xxiexp.app  {F  x)  Z) 


where  F  must  depend  on  x. 

More  generally,  we  would  have  to  decorate  programs  with  predicates  discriminating  when  a  pattern  is 
fully  applied  or  not.  It  is  clear  that  the  simply  typed  A-calculus,  or,  for  that  matter,  every  other  intuitionistic 
type  theory  is  not  strong  enough  to  represent  the  complement  of  partially  applied  patterns.  This  failure  of 
closure  under  complementation  cannot  be  avoided  similarly  to  the  way  in  which  left-linearization  bypasses 
the  limitation  to  linear  terms  and  it  needs  to  be  addressed  directly. 

One  approach  is  taken  by  Lugiez  [Lug95]:  he  modifies  the  language  of  terms  to  promote  constraints 
to  first-class  objects,  similarly  in  spirit  to  explicit  substitutions.  For  example  Xxyz.  would  denote 


2.5.  PARTIALLY  APPLIED  TERMS 


24 


a  function  which  depends  on  its  first  and  third  argument.  The  technical  handling  of  those  objects  then 
becomes  awkward  as  they  require  specialized  rules  which  are  foreign  to  the  issues  of  complementation. 

We  can  instead  internalize  the  (in) dependence  constraints  in  a  type  theory  which  explicitly  take  into 
account  the  occurrence  issue.  Since  our  underlying  A-calculus  is  typed,  we  use  typing  to  express  that  a 
function  must  or  must  not  depend  on  its  argument.  Following  standard  terminology,  we  call  such  terms 
strict  in  x  and  the  corresponding  function  Xx  :A,M  a  strict  function.  The  natural  choice  is  a  calculus  of 
strict  types  and  is  formalized  in  Section  3.1.  We  first  give  an  informal  presentation. 

We  can  introduce  a  strict  application  primitive  constructor,  say  F  which  express  the  fact  that  F 
must  use  an  argument  x  mentioned  in  the  context.  Thus  for  example: 

•  h  Not(Ae:exp.  E)  =  Xx:exp,F 
Therefore,  the  complement  of  (2.2)  would  be: 

-ivacous{Xx  :exp,  F  ^x). 

Conversely,  taking  the  complement  of  terms  where  arguments  must  occur  yields  terms  where  some  argu¬ 
ment  must  not  occur:  for  example 

•  h  Not{Xx:exp.  Xy:exp,  E  *y  ^x)  =  {Ax:exp.  Ai/:exp.  F,  Ax:exp.  Ay:exp.  F^^x, 

Ax: exp.  Xyiexp.  ^2^2/} 

Let  y^  be  two  sets  of  variables  such  that  y^  C  x^.  Let  z^  =  x^  —  We  first  treat  the  intuitionistic 
application  case.  The  complement  of  A^.  E  y^  is  the  set  of  terms  that  may  depend  on  y^  but  has  to 
depend  on  one  of  the  ^’s,  that  is  p  terms  such  that,  for  an  appropriate  context  F : 

p 

r  h  Not(E  p;;:)  =  *Zj  Zj+i...Zp} 

i=i 

The  complement  of  terms  with  strict  application  is  defined  as: 

m 

r  h  Not(j5  '^y^y2  •  •  •  ^  Pm)  ==  {Fj  yi . . .  yj~\  2/j+i  •  •  •  ym] 


Example  2.9 

-  h  '^oi[Xxyzw.  E  y  w)  =  {Xxyzw.Fi  y  w^x  z^Xxyzw,  F2  y  w  x  ^z] 

•  h  Not(Ax2/.  E  *x  ^p)  =  {Xxy.  Fi  x,  Xxy.  F2  y} 

Yet,  there  is  a  certain  asymmetry  between  strict  and  intuitionistic  application:  while  the  former  com¬ 
pletely  determines  the  occurrence  status  of  a  variable,  the  latter  leaves  the  status  floating  indeterminately 
between  the  possibility  of  occurrence  or  not.  We  can  benefit  from  a  notation  which  captures  the  ‘non¬ 
occurring’  condition  explicitly.  One  possibility  is  to  decorate  bound  variables  as  well  as  function  types  with 
three  occurrence  annotations  1,0,  u  with  the  intended  meaning  of: 

x^  :  X  must  occur 
X®  :  X  must  not  occur 
x^  :  X  is  undetermined 

Its  intended  semantics,  as  a  type  theory,  is  explored  next. 


Chapter  3 

A  Strict  A-Calculus 


In  this  Chapter  we  introduce  a  strict  A-calculus  and  develop  its  basic  properties,  culminating  in  the  existence 
of  canonical  forms  3.2.  Chapter  4  will  introduce  a  restriction  of  the  language  for  which  complementation  is 
possible. 

3.1  Strict  Types 

As  we  have  seen  in  the  preceding  Chapter,  the  complement  of  a  partially  applied  pattern  in  the  simply- 
typed  A“Cal cuius  cannot  be  expressed  in  a  finitary  manner  within  the  same  calculus.  We  thus  generalize  our 
language  to  include  strict  functions  of  type  A  B  (which  are  guaranteed  to  depend  on  their  argument) 
and  invariant  functions  of  type  A  B  (which  are  guaranteed  not  to  depend  on  their  argument).  Of 
course,  any  concretely  given  function  either  will  or  will  not  depend  on  its  argument,  but  in  the  presence  of 
existential  variables  we  still  need  the  ability  to  remain  uncommitted.  Therefore  our  calculus  also  contains 
the  full  function  space  A  A  A  similar  calculus  has  been  independently  investigated  in  [WriQl,  BF93]:  for 
a  comparison  see  Section  3.3. 


Labels  k 
Types  A 
Terms  M 
Contexts  T 


1  I  0  I  u 

o  I  Ai  A2 

c|x|  Ax^:A.  M|(Mi  M2)^ 

•|r,x:A 


Note  that  there  are  three  different  forms  of  abstractions  and  applications,  where  the  latter  are  distin¬ 
guished  by  different  labels  on  the  argument.  It  is  not  really  necessary  to  distinguish  three  forms  of  application 
syntactically,  since  the  type  of  function  determines  the  status  of  the  application,  but  it  is  convenient  for  our 
purposes.  If  a  label  is  u  it  is  called  undetermined,  otherwise  it  is  determined  and  denoted  with  the  metavari¬ 
able  d. 

We  use  a  formulation  of  the  typing  judgment  with  three  zones,  containing  the  unrestricted,  irrelevant 
and  strict  hypotheses,  denoted  by  F,  17,  and  A,  respectively. 


T;Q;A\-M:A 


We  implicitly  assume  a  fixed  signature  E  which  would  otherwise  clutter  the  presentation.  Recall  that  Fi ,  F2 
is  a  union  of  two  contexts  which  do  not  declare  any  common  variables.  Recall  also  that  we  consider  contexts 
as  sets,  that  is,  exchange  is  left  implicit. 

Our  system  is  biased  towards  a  bottom-up  reading  of  the  rules  in  that  variables  never  disappear,  i.e.  they 
are  always  propagated  from  the  conclusion  to  the  premises,  although  their  status  might  be  changed. 

Let  us  go  through  the  typing  rules  in  detail.  The  requirement  for  the  strict  context  A  to  be  empty  in 
the  Id^  and  Id^  rules  expresses  that  strict  variables  must  be  used,  while  undetermined  variables  in  F  or 
irrelevant  variables  in  fi  can  be  ignored.  Note  that  there  is  no  rule  for  irrelevant  variables,  which  expresses 
that  they  cannot  be  used. 
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c:A  €  E 
r;n;-l-c:>l 


Con 


Id^ 


(r,  a;:i4);  fi;  •  h  X  :  A  no  I (f  rule  r;fl;x:A  h  x  :  A 

(r,x:^);n;AI-M:S 


IS 


A/ 


4/ 


r;n;AI- Ax“:AM:  A  AR 
r;(0,x;A);A  I-  M  :  B 
r;n;AI-Ax°:AM:^4B 
r;0;  {A,x:A)\-  M  :B 

- A/ 

r;n;AI- Ax^:A.  M  :  A  As 

r;n;AI-M:^AB  (T,  A);  fi;  •  h  iV  :  A 
T;  fi;  A  h  M  Ar“  :  B 

r;n;AI-M;AAB  (T,  fi,  A);  •  K  iV  :  ^ 


AE 


Ae 


T;  A  h  M  ATO  :  B 

(T,  A;v);n;  Am  h  M  ;  A  A  B  (r,AM);n;AAr  ^N:A 
r;n;(AM,Ajv)hMiVAB 


Ae 


t 

Figure  3.1:  Typing  rules  for  A“^ 
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y.A  ;  --x-.A^A^Bhx-.A^A^B 


Id} 


■Id^ 


€:A  y:A  h  y  :  A  ^ 


•;  ■;  {x:A  ^A-^B,  y:A)  \- xy^  :  A B 


{x:A^A^B,y:Ayr;-\-y:A  ^ 
- A  E 


.-^.;{x:A  ^  A  ^  B,y:A)  h  {xy^)y^  :  B 
Figure  3.2:  First  derivation  of  •;  •;  {x:A  A  ^  A  B,y:A)  F  {xy^)y^  :  B 
Id}  - ^ ^ - Id^ 


2/:A;sx:A  A  AA^f-xiyl  A  A  AB  (a::A  A  A  A  y:A);  •  f- y  :  A  ^ 
y:A;  •;  x\A  A  A  A  B  h  xy^  :  A  A  B 


E 


Id^ 


x\A  A  B\  \y:A\-  y  :  A  ^ 


■  ■.■{x-.A^A}^B,y.A)h{xi)y^-.B 


>  E 


Figure  3.3:  Second  derivation  of  ♦;  •;  (x:A  A  — >  B,y:A)  F  {xy^)y^  :  B 


The  introduction  rules  for  undetermined,  invariant,  and  strict  functions  simply  add  a  variable  to  the 
appropriate  context  and  check  the  body  of  the  function. 

The  difficult  rules  are  the  three  elimination  rules.  First,  the  undetermined  context  F  is  always  propagated 
to  both  premises.  This  reflects  that  we  place  no  restriction  on  the  use  of  these  variables. 

Next  we  consider  the  strict  context  A.  Recall  that  this  contains  the  variables  which  should  occur  strictly 
in  a  term.  An  undetermined  function  M  :  A  A  B  may  or  may  not  use  its  argument.  An  occurrence 
of  a  variable  in  the  argument  to  such  a  function  can  therefore  not  be  guaranteed  to  be  used.  Hence  we 
must  require  in  the  rule  A  E  for  an  application  M  that  all  variables  in  A  occur  strictly  in  M.  This 
ensures  at  least  one  strict  occurrence  in  M  and  no  further  restrictions  on  occurrences  of  strict  variables  in 
the  argument  are  necessary.  This  is  reflected  in  the  rule  by  adding  A  to  the  undetermined  context  while 
checking  the  argument  N.  The  treatment  of  the  strict  variables  in  the  vacuous  application  M  is  similar. 

In  the  case  of  a  strict  application  M  each  strict  variable  should  occur  strictly  in  either  M  or  N,  We 
therefore  split  the  context  into  Am  and  A^v  guaranteeing  that  each  variable  has  at  least  one  strict  occurrence 
in  M  or  respectively.  However,  strict  variables  can  occur  more  than  once,  so  variables  from  Ayv  can  be 
used  freely  in  M,  and  variables  from  Am  can  occur  freely  in  N.  As  before,  we  reflect  this  by  adding  these 
variables  to  the  undetermined  context. 

Finally  we  consider  the  irrelevant  context  Q,  Variables  declared  in  Cl  cannot  be  used  except  in  the 
argument  to  an  irrelevant  function  (which  is  guaranteed  to  ignore  its  argument).  We  therefore  add  the 
irrelevant  context  Cl  to  the  undetermined  context  when  checking  the  argument  of  a  vacuous  application 
M  N^. 

We  now  illustrate  how  the  strict  application  rule  non-deterministically  splits  contexts.  Consider  the 
typing  problem  •;  •;  (x:A  A  A  A  B,y:A)  h  {xy^)y^  :  B.  There  are  four  ways  to  split  the  strict  context: 

Am  ^  x:A  —^A—^  B^y:A  Ayv  —  * 

Am  —  >  A  A  B  Ayv  =  y:A 

Am  ^  y’-A  Ayv  —  x'.A  — y  A  — ^  B 

Am  ”  *  Ayv  —  X‘.A  A  — >  B^yiA 

Only  the  first  two  yield  a  valid  derivation  (depicted  in  Figure  3.2  and  Figure  3.3),  as  x  needs  to  be  strict  in 
the  leftmost  branch. 

Our  strict  A-calculus  satisfies  the  expected  properties,  culminating  in  the  existence  of  canonical  forms 
which  is  critical  for  the  intended  applications.  We  begin  with  the  following: 

t 

Remark  3.1  (Inversion)  All  rules  in  \~^  are  invertible. 

We  will  often  use  inversion  principles  tacitly  in  proofs  by  structural  induction  on  the  typing  derivation. 
Note  that,  although  typing  derivation  may  not,  typing  is  unique. 

Theorem  3.2  (Uniqueness  of  Typing)  //  F;  A  F  M  :  A  and  F';  fi';  A  F  M  :  A',  then  A  =  A'. 


3.1.  STRICT  TYPES 


28 


Proof:  By  induction  on  the  structure  of  the  given  derivations,  exploiting  ‘functionality’  of  signatures  and 
contexts.  □ 

We  start  addressing  the  structural  properties  of  the  context  (s).  Exchange  is  directly  built  into  the 
formulation  and  will  not  be  repeated. 

Theorem  3.3  (Weakening) 

1.  (Weakening'^)  //  T;  fi;  A  h  M  :  then  (P,  x:C);  ft;  A  h  M  : 

2.  (Weakening)  Ifr-,Cl;A\-M  :  A,  then  P;  (ft,a;:(7);  A  \-  M  :  A. 

Proof:  By  induction  on  the  structure  of  the  given  derivation.  □ 

The  following  properties  allow  us  to  lose  track  of  strict  and  vacuous  occurrences,  if  we  are  so  inclined. 
We  use  the  phrase  ‘by  sub-derivation’  to  localize  the  immediate  sub-derivation(s)  of  a  given  one;  ‘by  rule’ 
means  in  this  Chapter  by  application  of  the  correct  (and  unique)  typing  rule,  when  not  explicitly  mentioned. 

Theorem  3.4  //P;(ft,a;;C);  A  \-  M  :  A,  then  (P, a;:!?);!!;  A  V-  M  ■.  A. 

Proof:  By  induction  on  the  structure  of  V  ::  P;  (ft,x:C);  A\-  M  :  A  . 

Case: 


P  =  - 


c:A  €  E 


Then 


S  = 


P;(ft,x:C);-l-c:  A 

c\A  €  E 
(P,x:C');ft;-l-c:yl 


Idc 


Idc 


Case: 


V  = 


ir,y:Ay,{n,x:cy,-\-y:A' 


■Id^ 


Then 


8  = 


{T ,y.A,x:C)\  ft;  •  h  ?/  :  A 


Case: 


V  =  - 


P;  {n,x:Cyy.Ah  y A 


Id^ 


Then 


8^ 


{T,x:Cy8l-,y:A  y  :  A 


Id} 


Case: 


V 

T-,in,x:C,y:AyA\-  M  :B 

^  = ^ ^ 

P;  {n,x:CyA\-  {Xy°:A.M)  :A-^B 


P;(ft,x:C,y:A);AhM:B 

(P,x:C);(ft,2/:v4);AI-M:B 

(P,  x:Cy  ft;  A  h  (AyO  :A.M)  :  A -^B 


By  sub-derivation 
By  IH  on  V 
By  rule  4  I 


Case:  V  ends  in  A  /  or 
the  above  case. 


I:  the  claim  follows  from  an  immediate  appeal  to  the  inductive  hypothesis,  as  in 
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Case: 


V  = 


2?i  P2 

T;  (fi,  A  h  M  :  4  B  (T,  A);  (fi,  x-.C)-,  ■}-  N:  A 


r-{n,x:C);A\-  M  :  B 


Di  ::  r;(fi,a::C);AI-M:^4B 
(r,a;:C');n;A  t-  M  :  A  A  B 
V2  ::{T,Ay,in,x:C);-\-  N  -.A 
{r,A,x:C);n-,-\-  N  :  A 
(r,x:C);n;AI-M  Ar“;B 


By  sub-derivation 
By  IH  on  T>i 
By  sub-derivation 
.  By  IH  on  X>2 
By  rule  -4  E 


Case: 


V2 

r;(n,x:C');A  I-  M  :  A B  (T,  A,x:C);  •  b  N  :  A 

V  = - - - Ab 

r;(n,x:C);AhM  ArO;B 


r;(n,x:C):Al-M  :>14B 

{V,x:C)\^-,A\-  M  -.A^  B 
(r,n,A,x;C);-;-hiV:>l 
(r,x:C);n;AI-M  ATO  ;B 


By  sub-derivation 
By  IH  on  Vi 
By  sub-derivation 
By  rule  A  E 


Case: 


Vi  V2 

(r,  An);  (fi,  x:C);  Am  ^  M  :  A  ^  B  (F,  Am);  (f^,  x:C);  Ajv  N  :  A 

P  = ^ 

T;  {n,  x:C);  (An,  Am)  b  M  :  E 


(r,  An);  (fi,  x:C);  Am  b  M  :  ^  A  B 
(r,rc:C,  An);^;  Am  M:A^B 

(r,AM);(n,:r:C);ANbiV:  A 

(r, a::(7,  Am);  b  :  A 
(r,x:C);n;(AN,AM)bMNi  :B 


By  sub-derivation 
By  IH  on  X>i 
By  sub-derivation 
By  IH  on  V2 
By  rule  A  E 


Corollary  3.5  (Loosening®)  //F;  (f7,  $);  A  b  M  :  A,  (F,  $);  fl;  A  h  M  :  A. 
Proof:  By  repeated  application  of  Theorem  3.4. 

Theorem  3.6  //F;  fi;  (A,  x:C)  h  M  :  A,  then  (F,  x:C);  A  h  M  :  A. 

Proof:  By  induction  on  the  structure  of  P  ::  F;  (AjXrC')  h  M  :  A. 

Case:  V  ends  in  Con.IdA:  vacuously  true. 

Case: 

V  = - /rfi 

T]n;x:A  \-  x  :  A 

Then 

S  - - Id^ 

(F,a::A);  •  b  x  :  A 


□ 


□ 


F;n;(A,a::C',y:A)  \-  M  :  B 

- A/ 

F;  fl;  (A,x:C)  b  (Ay^ :  A.  M)  :  A  A  P 


Case: 
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T;  H;  {^,x:C,y:A)  ^  M  :  B 
(r,x:C7,);n;(A,2/:^)l-M:JB 
(r,  x-.C)\ n;  A  h  (Aj/i  :A.M):  A 


By  sub-derivation 
BylH 
By  rule 


Case:  V  ends  in  A  J  or 
the  above  case. 


I:  the  thesis  follow  from  an  immediate  appeal  to  the  inductive  hypothesis  as  in 


Case: 


P  = 


r;n-,{A,x:C)\-  M  :A^  B 


(r,A,a;:C);fi;-  h  N  :  A 


r;n;(A,x:C)  h  M  iV“  :  B 


•  AE 


r;n;(A,a;:C)l-M:yl  AB 
(r,a::C');n;AI-M:yl  A  B 
lr,A,x:C),n]-\-  N  :.A 
{r,x:Cy,n;A\-  M  :  B 


By  sub-derivation 
BylH 
By  sub-derivation 
By  rule 


Case: 


P  = 


r;n;(A,x:C)  h  il/  :  .4  A  B 


(r,n,A,x;C');-;-l- 


r;n;(A,x:C)  h  M  iVV  B 


Ab 


r;n;(A,x:C')l-M:^  AB 
(r,x:C');n;AI-M:A  AB 
{T,n,A,x:Cy-;-\-  N  :  A 
{T,x:C);n;A\-  M  :B 


By  sub-derivation 
By  IH 
By  sub-derivation 
By  rule 


Case:  V  ends  in  There  are  two  sub-cases: 


X  e  Am  T>  = 


(r,  Aiv);n;  (T,  A;v  ^N:A 

r;n;(A^,x:C,A;v)bMiV' 


(r,  Aiv);  n;  (A'^,  X.'C)  h  M  :  >1  -4  B 
(r,A^,x:C);a;A'^bM: 
(r,A'^,x:C);n;A;v^iV:^ 
(r,x:C);fi;(A,v,A'^)hMiV' 


By  sub-derivation 
By  IH 
By  sub-derivation 
By  rule 


X  e  An  Symmetrical  to  the  above. 


□ 


Corollary  3.7  (Loosening^)  If  A  ^  M  :  A,  then  (F,  A);ft;  •  h  M  :  x4. 

Proof:  By  repeated  application  of  Theorem  3.6.  □ 

Theorem  3.8  (Substitution  Properties) 

1.  (Substitution^)  If  (r,x:A);  fl;  A  h  M  :  C  and  (F,  A);  Ct;  •  \-  N  :  Aj  then  F;  fi;  A  h  [N/x]M  :  C. 

2.  (Substitutiovf^ )  //F;  (n,x:A);  A  \-  M  :  C  and  (F,  A,n);  •  h  TV  :  then  F;^;  A  h  [N/x]M  :  (7. 

3.  (Substitution^)  // (F,  Aiv);fi;  b  M  :  C  and  (F,  Am);  Aiv  N  :  A,  then 

F;n;(AM,AAr)b[iV/x]M:C. 

Proof:  The  proof  is  by  mutual  induction  on  the  height  of  the  derivation  P  of  M  :  C.  We  show  the  crucial 
cases. 
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1.  Substitution” 


Case: 


As  [Y/x]c  =  c,  then 


V  = 


crCe  E 


(r,x:A);n;- 1-  c  :  C 


Con 


c:C7e  £ 
r;n;  -  h  c:  C 


Con 


Case: 


As  [Nlx]y  =  j/,  then 


Case: 


V  = 


(r',x:A,2/:C);fi;-hy  ;C 


(r',2/:C);n;-Pj/:C 


P  = 


(r, x:A);  fi;  •  h  X  :  C 

As  [iV/x]x  =  iV  and  C  =  A,  then  P  =  T;  •  f-  AT :  C 


/d” 


Case: 


V  = 


{T,x-.A)-U-,y:Cyy:C 


/di 


As  [Nlx\y  =  y,  then 


V-n-y:C^y:C 


Id} 


(r,x:A,y:R);n;AI-M:C' 

P  = - 

(r,  x;A);  n;  A  h  Ay”  : B.  M  :  R  4  C 

(r,x:A,y:B);n;AI-  Af  ;C 

r;n;  l- ATrC 

(r,y;B);n;-hiV:C7 

{r,y:B);fi;Ah[Ar/x]A/:C 

T;  fi;  A  h  (Ay” :  B.  [Y/x]M)  :  A  A  B 

P;  n;  A  h  [Y/xJCAy” 

Case:  V  ends  with  A  7,  A  /:  similarly. 


By  sub-derivation 
By  hypothesis 
By  Weakening” 
By  IH 
By  rule 
By  subst. 


Case: 


V  =  - 


Pi 

(r,x:A);n;AI-P:B  AC 


P2 

(r,A,x:A);n;-hQ:B 


(r,x:A);fl;AI-  B  Q“  :  C 


A  E 


(r,x:A);n;AI-B:B  AC 
£  ::  (r,A);n;-  h  N  :  A 
r;n;AI-[iV/x]P:B  AC 
(r.x:A,A);n;-  h  Q  :  B 
(r,A);0;-l-[iV/x]Q:B 
r;n;  A  h  ([7V/x]P)([A^/x]Q)”  :  C 
r;n;Ah  [Af/x](P  C”)  :  C 


By  sub-derivation 
By  hypothesis 
By  IH  on  Pi  and  £ 
By  sub-derivation 
By  IH  on  P2  and  £ 
By  rule 
By  substitution. 
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Case: 


V  = 


Vi 

{T,x:Ay,Q-,A\-  P  :  B  C 

{T,x:Ay,n-,A\-  P 


P2 

(r, 


Q°:C 


{T,x-.Ay^l-,A}-  P:B 
£  ::  {r,Ayn-,-h  N  :  A 
P;  n;  A  h  [JV/a;]F  :  B  A  (7 
(r,x:^,n,A);-;-PQ:B 
£'  ::  (r,A,n);-;-PA^;^ 

(r,A,n);-;-h[Ar/a:]Q:B 
r;n-,A\-[N/x]{P  Q)°:C 


\-Q:B 

- Ae 

By  sub-derivation 
By  hypothesis 
By  IH  on  Pi  and  S 
By  sub-derivation 
By  Loosening^  H  in  f 
By  IH  on  P2  and  £' 
By  rule 


Case;  P  = 


Pi 


(r,a;:A,AQ);fi;AphP:P4C 


P2 

(r,  x:A,  Ap);  fl;  Ag  h  Q  :  B 


(r,rc:^);n;(Ap,Ag)  hPg^  :C 


(r,x:A,AQ);n;AphP:P4C 
£::  (r,Ap,Ag);fi;.hAr:A 
(r,AQ);n;Aph[iV/a:]P:P-4C 
(r,x:A,  Ap);^;  Aq  h  Q  :  P 
(r,Ap);n;Agh[iV/x]g:P 
r;n;(Ap,Ag)h[iV/ar](P  :  C 


Similar  to  the  above. 


2. 

3. 


Substitution^ 


Substitution^ 


By  sub-derivation 
By  hypothesis 
By  IH  on  Pi  and  £ 
By  sub-derivation 
By  IH  on  P2  and  £ 
By  rule 


Case:  P  ends  in  Con,Id^:  vacuously  true. 


Case; 

P  = - Id^ 

(r,  Aiv);n;a::A  x  :  A 


and  [N/x]x  =  iV;  then  Am  =  *,  P  =  f  ::  T;Q.;An  b  N. 


Case: 


Pi 

(r,  A^v);  (n,?/:P);  (Am)^:A)  \-  Q  :  C 

P  = - A/ 

(r,  A^v);  fi;  (Am,  a:: A)  h  Ai/® :  B.  Q  :  B  A  C 


Vi  ::  (P,  Aat);  {fl,y:B);  {Am,x:A)  Q  :  C 

£  ::  {r,AMyn-AN\-N:A 

£'  ::  (r,AM);(n,y:B);Ayvl-  iV:^ 

P;  (n,y:B);(AM,A;v)K[iV/a:]Q:C 
P;  n;  {Am,  An)  h  AyO  ;B.  [Ar/x]Q  :  B  A  C 
P;  H;  (Am,  A;v)  P  [iV/a:](A/  :B.Q):B  A  C 


By  sub-derivation 
By  hypothesis 
By  Weakening®  on  £ 
By  IH  on  Pi  and  £*' 
By  rule 
By  substitution. 


Case: 

Case: 

Case: 


P  ends  with  A  I .  Proceed  similarly  using  Weakening’^. 

P  ends  with  A  /.  It  follows  by  an  immediate  appeal  to  the  IH. 

(r,  AAr);n;(AM,^:A)  h  P  :  P  A  C  (F,  AM,a:;A,  A^r);  •  )r  Q  \  B 


(r,A;v);n;(AM,x:A)bPg^:C 


3.1.  STRICT  TYPES 


33 


Vi  ::  (r,  Aiv);  fi;  (Am,  x:  A)  hP:B^C 

£::  :A 

r;fl;(AM,A^)h[iV/x]P:5  4C 
V2  ::  (f ,  A  at);  fl;  •  P  Q  :  ^ 

(r,AM,Aiv);a;-P[iV/a:]Q:B 
r;n;(AA^,Aiv)P[iV/x](P  Qr  :  C 

Case:  T>  ends  in  A  E:  similar. 

Case:  V  ends  in  A  E:  there  are  two  sub-cases 
X  €  Ap  := 


By  sub-derivation 
By  hypothesis 
By  IH  on  Vi  and  £ 
By  sub-derivation 
By  IH  on  V2  and  £ 
By  rule 


,  where  Am  ==  Ap,  Aq: 


2^1 

(r,Ayv,AQ);n;(A'p,x:.4)hP:B  Ac 


V2 

(r,  Aasx:.4,  Ap);^;  Aq  \-  Q  :  B 


(r,AAO;n;(A'p,x:A,Ag)hPQAC 


Ae 


V,  ::  (r,  Aas  Aq);  (A'p,  x:A)  h  P  :  B  A  C 
^  ::(r,A^AQ);fi;AA^h  Y:.4 
(r,  Aq);  H;  (Ai„  AaO  h  [A7x]P  :  P  A  C 
(r,  Aq,  An);  H;  A^  h  [A7t]P  :  P  a  C 
V2  ::  (r,AN,x:^,A'p);n:  Aq  h  Q  :  P 
r::(r,A'p,AQ,AN);r2;-H 
(r,AN,A'p);Q;AQh[A7T]Q:P 
r;fi;(A^,AQ,Ayv)f-[/V/A(^Q)' 

X  G  Aq  Symmetrical  to  the  above. 


By  sub-derivation 
By  hypothesis 
By  IH  3  on  Pi ,  f 
By  Loosening^  An 
By  sub-derivation 
By  Loosening^  An  in  f 
By  IH  1  on  p2,r 
By  rule 


□ 


Theorem  3.9  (Contraction)  Let  z  be  a  fresh  variable  of  type  A: 

1.  (Contraction^ )  // (P, x:v4, y:.4);  H;  A  b  M  :  C,  then  (P,  z:A);n;A  h  [z/y]{[z/x]M)  :  C. 

2.  (Contraction^ )  If  T;{£l,x:A^y:A)\ A  M  :  C,  then  T;  {fl^  z:A);  A  [z/y]{[z/x]M)  :  C . 

3.  (Contraction^ )  //P;f];  {A,x:A,y:A)  b  M  :  C ,  then  P-jH;  (A,z:i4)  b  [z /y]{[z / x]M)  :  C. 


Proof: 


(r,i:A,j/:A);n;A  1-  M  :  C 

By  assumption 

ir,x:A,y:A,z:Ay,fl-,A\-  M  :C 

By  Weakening^ 

(r,  yA,  A,  z:Ay,  z  ■.  a 

By  rule  Id^ 

{T,y:A,z:Ayil-,A\-  [z/x]M  :  C 

By  Substitution^ 

{T,A,z:Ayn-,-\-  z:A 

By  rule  Id^ 

{T,z:Ayn;A\-[z/y]i[z/x]M):C 

By  Substitution^ 

Similarly,  using  Substitution®. 

T-,n]{A,x-.A,y:A)\-  M  :C 

By  assumption 

ir,z:Ayn-,{A,x:A,y:A)  \-  M  :  C 

By  Weakening^ 

{r,y:A,AyQ-,z:A\-z:A 

By  rule  Id^ 

T-,il-,{A,y:A,z:A)  [z/x]M  :  C 

By  Substitution^ 

(T,z:Ayn-,{A,y:A)  \-  [z/x]M  :  C 

By  Loosening^ 

(r,A);n;z:^  \- z  :  A 

By  rule  Id^ 

T-,n-,{^,z:A)\-[z/y]{[z/x]M):C 

By  Substitution^ 

□ 
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The  notions  of  reduction  and  expansion  derive  directly  from  the  ordinary  /?  and  t]  rules. 

{Xx'^-.A.  M)N’‘  A  [N/x]M 
M-.A^B  Xx'^-.A.  M  a;* 

Indeed  one  of  the  main  reason  to  introduce  irrelevant  variables,  as  ones  which  may  occur  but  must  not 
be  used,  is  to  well- type  77-expansion  of  invariant  functions: 

M  :AAB  a  Xx°:A.  M 

The  subject  reduction  and  expansion  theorems  are  an  immediate  consequence  of  the  structural  and 
substitution  properties. 

Theorem  3.10  (Subject  Rediuction)  //F;  ft;  A  1-  M  :  ^  and  M  M'  then  F;  ft;  A  h  M'  :  A, 


Proof:  By  cases  on  k: 


1.  Let  M  =  (Ax“ :  B.  P)Q'^  :  A  and  M'  =  [Q/x]P. 

rifi;  A  h  (Ax“:5.P)Q“  ;  A 

By  hypothesis 

By  inversion 

r;ft;Ah  Ax“:R.P:R4v1 

By  inversion 

V::  ir,x:B);Q-,AhP:A 

By  inversion 

r;n-,A\- [Q/x]P:  A 

By  Substitution"  on  V,£ 

2.  Let  M  =  (Ax®  :S.  P)Q°  :  A  and  M'  =  [Qlx\P. 

r;fl;  A  h  {Xx°:B.P)Q°  :  A 

By  hypothesis 

£::{r,n,Ay,-rhQ:B 

By  inversion 

r;fi;A(-  Ax“:jB.P:P4  A 

By  inversion 

V:-.  T;  (n,x:B);AI-P:A 

By  inversion 

r;fi;AI-  [Q/xjP:  A 

By  Substitution®  on  V,  £ 

3.  Let  M  =  (Axi  :B.  P)Q^  :  A  and  M' =  [Q/x]P. 

r;f2;Al-  {Xx^:B.P)Q^  :  A  and  A  =  Ap,Aq 

By  hypothesis 

£::  {r,Apy,n-,AQ\-Q:B 

By  inversion 

(P,  Aq);  n-,Ap\-Xx^:B.P:B-^A 

By  inversion 

V:-.{T,AQyQ-,{Ap,x:B)\-P:A 

By  inversion 

T-,n-,iAp,AQ)h[Q/x]P:A 

By  Substitution^  on  P,  £ 

□ 

-4  M'  then  P;fl;  A  h  M'  :  ^  4 

Theorem  3.11  (Subject  Expansion)  If  A  M  :  A  B  and  M 

B. 

Proof:  By  cases  on  k: 

1.  r;n;AI-M:^4P 

By  hypothesis 

{T,x:Ayn-,A\-  M  :A^  B 

By  Weakening" 

(r,  x:A,  A);  fl;  •  h  X  :  A 

By  rule  Id^ 

(r,x:A);n;AI-Mx“;P 

By  rule  A  E 

P;  11;  A  h  Ax“ :  y4.  M  x“  :  4  P 

By  rule  A  I 
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M  Am' 

- A  A 

Xx'^-.A.M  A  Xx^  -.A.M 

nAq 

- 1->  n 

(M  TV)*^  4  {M  Q)* 

t 

Figure  3.4:  Reduction  rules  for  A“^ 


P;  fi;  A  h  M  :  v4  A  B 

By  hypothesis 

r;(fi,a;:>l);A  h  M  :  A  A  B 

By  Weakening® 

(r,  Q,x:A,  A);  X  :  A 

By  rule  Id^ 

{T,x-.A)-,U-A^  M  x^  ■.  B 

By  rule  A  E 

Xx^-.A.M  x° -.AAB 

By  rule  A  I 

P;  fl;  A  h  M  :  4  B 

By  hypothesis 

(P,a;:^);n;AhM:  a14B 

By  Weakening^ 

(P,  A);  fi;  x:A  x  :  A 

By  rule  Id} 

r-,n;iA,x:A)h  M  :B 

By  rule  A  E 

P;n;A[- 4  :^4B 

By  rule  A  I 

□ 


it  ^ 

We  can  now  give  the  definition  of  reduction  in  Figure  3.4:  we  write  for  the  reflexive  and  transitive 
closure  of  A. 

Theorem  3.12  (Subject  Reduction  with  Congruences)  //  Fjfi;  A  h  M  :  A  and  M  A  M'  then 

r;n;AhM':  A. 

Proof:  By  induction  on  the  derivation  of  M  A  M',  using  Subject  Reduction  (Theorem  3.10)  for  the  base 
cases.  □ 

The  following  Lemma  establishes  a  sort  of  consistency  property  of  the  type  system,  so  that  a  term  can 
be  typed  only  by  exclusive  contexts.  In  particular  we  show  that  a  term  M  cannot  be  both  strict  and  vacuous 
in  one  variable,  say  x.  This  will  be  central  in  the  proof  of  disjointness  of  term  complementation  (Theorem 
4.20): 

Lemma  3.13  It  is  not  the  case  that  both  Fi; fii;  (Ai , x:C)  \-  M  :  A  and  T21  A2  M  :  A. 

Proof:  By  induction  on  the  structure  of  Pi  ::  ri;ni;  (Aija::^)  M  :  A  and  inversion  on 
P2  ”  F25  (f^2}  ^•^)j  ^2  ^  •  A. 

Case: 

Vi  = - Id^ 

Fi;  ni;x:.4  h  x  :  A 

but  there  can  be  no  proof  of  x  :  ^  from  F2;  (^2^  2::^);  A2. 

No  case  for  Id^  and  Con. 


- A/3 

{Xx'‘:A.  M)N’‘  -A  [N/x]M 

mAq 

- - -  ^  ^ 

(M  N)''  A  (Q  Nf 


Vi 


(Ai,a:;C,2/:R)  M  :  A 

- A  I 

Ti-,ni;{Ai,x:C)  h  Xy^:B.M  :BA  A 


Case: 
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and 


r2;(n2,x:C);(A2,y;B)hM:^ 

I>2= - ; - —-4/ 

Ta;  (fi2,  a;:C);  Az  I-  M  :  S  4  A 


r2;(n2,a:;C');(A2,y:B)hM:  A 

1 


By  sub-derivation  of  Vi 
By  inversion  on  P2 
By  IH 


Case:  Vi  ends  in  A  J,  A  /.  The  result  follows  analogously  by  IH. 

Case:  Vi  ends  in  A  A  E.  The  result  follows  by  IH  on  the  leftmost  sub-derivation. 
Case:  Vi  ends  in  A  E:  there  are  two  sub-cases: 

Subcase:  A]^  =  ^]^,x:C 


(ri,A4);ni;(^]^,a::C)hM:A4.B  Ajy  h  TV  :  A  ^ 


and 


(Tz,  A%y,  (fiz.xrC);  Ai,  I-  M  :  A  4  B  (Tz,  Al)- (fiz, a::C);  A^  h  AT :  A 
T>2  = - ^ - 4  E 


r2-,  {^2,  x:Cy,  {Al^]  A%)  h  M  :  B 


{TuAyyni;{^\f,x-.C)\-M:A^B 

{T,A%yin2,x:CyAl,\-M:A-^B 

J- 

Subcase:  A^  =  9y,x:C:  Symmetrically. 


By  sub-derivation  of  Pi 
By  inversion  on  'D2 
By  IH 


□ 


Corollary  3.14  (Exclusivity) 

1.  It  is  not  the  case  that  both  F;  (A,a::C)  M  :  A  and  (F,  A);  x:C;  •  M  :  A. 

2.  It  is  not  the  case  that  both  F;  (n,x:C);  A  \-  M  :  A  and  (F,  A);  *;x:(7  \-  M  :  A. 

Proof: 


1.  It  is  not  the  case  that  Fjfi;  (A,^:^)  h  M  :  A  and  F;  (n,x:C);  A  h  M  :  A  By  Lemma  3.13 

It  is  not  the  case  that  F;  fl;  (A,  x:C)  M  :  A  and  (F,  A);  (fl,  x:C);  •  h  M  :  A  By  Loosening^  A 

It  is  not  the  case  that  F;  f2;  (A, x:C)  h  M  :  A  and  (F, H,  A);  x:C;  •  h  M  :  A  By  Loosening*^  Q 

2,  Analogously, 


□ 


We  end  this  section  by  checking  that  our  strict  calculus  is  a  conservative  extension  of  the  simply  typed 
A-calculus.  We  therefore  define  a  forgetful  functor  from  A“^  to  A^: 


AAB|  =  1A|^|H1 

I  a  I  =  a 

I  X  I  =  X 

I  c 


c 
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1  Xx^-.A.M 

Ax:|  A\.  1  M  1 

1  M  Af* 

1  = 

|M|  |iV| 

1- 

ir,x:A 

1  — 

iri,x:|Al 

1  T,,a:type 

= 

1  S  \,a:type 

1  E,c;A 

= 

|S|,c:|A| 

Theorem  3.15  (Conservativity) 
//r;n;Af-^^  M:  A„  i/ien  |  F  1,  |  |,  1  A  |  h;,-.! 

M  \ 

:|A|. 

Proof:  By  induction  on  the  structure  of  the  given  derivation. 

□ 


3.2  The  Canonical  Form  Theorem 

I 

In  this  section  we  establish  the  existence  of  canonical  forms  for  A“^,  i.e.  /^-normal  ry-long  forms,  which  is 
crucial  for  our  intended  application.  We  prove  this  by  Tait’s  method  of  logical  relations;  we  essentially  follow 
the  account  in  [Pfe92],  with  a  surprisingly  little  amount  of  generalization  from  simple  to  strict  types;  we  do 
differ  on  the  account  of  substitutions. 

/ 

We  start  by  presenting  the  inductive  definition  of  canonical  forms  in  It  is  realized  by  the  two 

mutually  recursive  judgments  depicted  in  Figure  3.5: 

1.  F;  fi;  A  h  M  4-  ^  M  is  atomic  of  type  A, 

2.  F;  f);  A  h  M  A  M  is  canonical  of  type  A. 


Lemma  3.16  (Soundndess  of  Canonical  Terms)  // F;  A  h  M  f|:f  A,  then  F;  fl;  A  h  M  :  A. 

Proof:  By  induction  on  the  structure  of  the  derivation  of  F;  A  h  M  f|i  A.  □ 

We  then  introduce  conversion  to  canonical  form  in  Figure  3.6.  Note  that  conversion  is  not  required  to  respect 
the  occurrence  constraints,  provided  that  we  start  with  a  well- typed  term: 

1,  M  I  N  :  A  M  converts  to  atomic  form  N  at  type  A. 

2.  ^  \~  M  N  :  A  M  converts  to  canonical  form  N  at  type  A. 

This  utilizes  weak  head  reduction,  which  includes  local  reduction  (/?)  and  partial  congruence  (//): 

Q 

- ^ ^  ^ 

(Ax* :  A.  M)Ar*  [N/x]M  [M  N)*  {Q  AT)* 

Theorem  3.17  (Conversion  Yields  Canonical  Terms)  If  {T,  Cl,  A)  M  N  :  A  and  Fjft;  A  I-  M  : 
A,  then  F;  fi;  A  h  iV  141 

Proof:  By  induction  on  the  structure  of  D  ::  (F,  A)  h  M  I4i  N”  :  ^  and  inversion  on  the  typing  derivation; 
we  show  some  cases: 


Case: 


x:A  €  ^ 

- tcldvar 

^  h  X  I  X  :  ^ 
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c:A  e  E 
T;  H;  •  h  c  i  A 


cldc 


cld^ 


(r,a;:A);  •  I- a;  J.  A  no  rule  for  c/ci®  F;  n;3::A  L  a:  4- A 

r;n;AI-M4a 

■  cAt 


cld^ 


r;n;AI-Mfra 
(r.ar:A);fl;A  h  MfrS 
r;n;AI-  (Aa:“:A.M)tf  A4R 
r;n;(A,x:A)  h  M  fr  B 
r;n;AI-  (Aa:i:A.M)ltA4B' 
r;{n,x:A);AI-MlIB 


c  A/ 


c4/ 


- c  A  I 

r;H;AI-  (Ax°:A.M)  fr  A  AB 

r;n;AI- M4  A  AB  (T,  A);H;- h  N -fr  A 

F;  H;  A  H  M  4  B 


’  c  ^  E 


F;n;AI- A/4A  AB  (F.fi,  A);  ^  fV  fr  A 


U  j"! 

'  c  E 


T;n;Ab  M  iB 
{T,An)]  Am  M  i  A  ^  B  (F,  Am);  N  it  A 

F;n;(AM,A;v)l-MNU5 


c-k  E 


Figure  3.5:  Canonical  forms 


c;A  €  E 


•  tcldc 


x:A  € 


■  tcldvar 


M 


'$'l-c4c:A  ’I'l-x4a::A 

M'  '5'  h  M'  ir  M"  :  a  _  $  h  M  4  AT :  a 


vP  h  M  -fl  M"  :  a 


■  tc 


\ohr^ 


■  tcAt 


t  h  M  X*  H  AT :  B 
^'hM-fr(Ax*:A.Af):  A  AB 


'  tc-^  I 


$I-M4B:  A  AB 


^y-NitQ:A 


'3?  h  M  Af*^  4  B  Q*  :  B 


tc^E 


Figure  3.6:  Conversion  to  canonical  form 
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Subcase: 


Then: 


Subcase: 


Then: 


Case: 


r;n;AhM':a 
T;  H;  A  h  M"  IT  a 


T;  fi;  x:A  Y-  x  :  A 


Id^ 


T;  0;  x-.A  x  I  A 


cld'^ 


- Id'^ 

(r,  x'.A);  0;  •  h  a:  :  A 


- c/rf“ 

(r,a;:A);n;  •  h  x  4-  A 


M'  :a 


’5'  h  M  tr  M”  :  a 


By  hypothesis 
By  subject  reduction  (Theorem  3.10) 

By  IH 


'I'1-M4.P:A4b  '4'l-iV-f|'Q:A 

V  = - ; - ; - tc^E 

’J'  h  M  AT*  i  P  Q*  :  B 

Subcase: 


By  IH 
By  IH 
By  rule 

Subcase:  P'  is  £  A  4  E:  analogously. 


V  = 

r;n;AI-P4.A4B 
(r,A);0;-hQjrA 
T;  O;  A  h  P  (5“  4.  P 


T;  0;  A  I-  M  :  A  4  P 


(r,A);n;-hAr:  A 


T;  0;  A  h  M  AT”  :  P 


£4£ 


□ 


Since  we  have  to  talk  about  open  terms,  we  will  need  a  notion  of  context  extension: 

4f'  >  $ 

'*'>’1'  'f',x:A>'I' 

Lemma  3.18  (Weakening  for  Conversion  to  Canonical  and  Atomic  Form) 

If^\-  M  UN  :  A  and then  ^  M  U  N  :  A. 

Proof:  By  induction  on  tbe  structure  of  the  given  derivation(s).  □ 

We  can  now  introduce  logical  relations,  in  complete  analogy  with  the  usual  definition  for  the  simply-typed 
A-calculus: 

Definition  3.19  (Logical  Relations) 

1.  ^  \-  M  e  la]  iff  ^  Y-  M  -([  N  :  A,  for  some  N. 

2*^.  VP  h  M  e  |A  4  P]  iff  for  every  $'  >  $  and  every  N,  i/  h  A/’  €  |AJ,  then  I-  Af  A’*  €  |P]. 
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Lemma  3.20 

1.  //  $  I-  M  e  [^1,  then  ^  h  M  N  A. 

2.  If^h  M  IN  ■.A,then^\-  M  e 
Proof:  By  induction  on  A. 

Case:  A  =  a.  Immediate  from  definition. 

Case:  A  =  A  B. 

By  hypothesis 
By  rule 
By  rule 
ByIH2 
By  definition  of  f-] 
By  IH  1 
By  rule 

By  hypothesis 
By  assumption 
By  IH  1 
By  Lemma  3.18 
By  rule 
By  IH  2 
By  definition  of  [-1 

□ 


Lemma  3.21  (Closure  under  Head  Expansion) 
If^hM'e  [ylj  and  M  M' ,  then  F;  fl;  A  h  M  e  |A]. 

Proof:  By  induction  on  A: 

Case:  A  =  a-,  immediate  by  definition  and  rule  tc 
Case:  A  =  A  B-. 

$  h  M'  e  [A  4  R] 

N  £  [>1]  for  $'  >  $ 

3r'  h  M'  AT*  e  1^1 
(M  AT)*  (M'  Nf 
4-'  h  M  IV*  €  1^1 
$  h  M  e  1.4  4  R] 


By  hypothesis 
By  assumption 
By  definition 

By  rule  u 
BylH 
By  definition 


1.  h  M  e  4  Rl 

>  $ 

(4',x:.4)  h  X  4-  X  :  .4 
(4',x:yl)  I-  X  6  |>1] 

(4',x:.4)  I-  M  X*  €  |R] 

(4',  x:A)  h  M  X*  fl  iV  :  R 
4'hMDAx*:4l.iV:vl4R 

2.  $I-M4.M+:^4R 
4-'  >  4-  and  4-'  F  AT  € 
^'\-Ni[N+:A 

W'  F  M  4.  M+  :  4  4  R 

$'  F  M  iM+NX:  B 
F  M  //*  6  IR] 

4-  F  M  G  |A  4  RJ 


□ 

Due  to  the  need  to  /3-reduce  during  conversion  to  canonical  form,  we  need  to  introduce  substitutions. 
Differently  from  [Pfe92]  and  [Cer],  we  will  not  require  substitutions  to  be  well-typed. 

Substitutions  0  ::=el9,M/x 

Foi  6  =  9',  M/x,  we  say  that  x  is  defined  in  9  and  we  write  9{x)  =  M.  We  require  all  variables  defined  in  a 
substitution  to  be  distinct:  we  use  dom(0)  for  the  set  of  variables  defined  in  9  and  cod(0)  for  the  variables 
occurring  in  the  substituting  terms.  We  assume  them  to  be  disjoint. 


3.2.  THE  CANONICAL  FORM  THEOREM 


41 


Next,  we  define  the  application  of  a  substitution  to  a  term  M,  denoted  [d]M.  We  limit  application  of 
substitution  to  objects  whose  free  variables  are  in  the  domain  of  6'. 

[^]c  =  c 

[6\x  =  6{x) 

[e]{M  N^)  =  mM){[e]N)>^ 

[(9](At*:.4.  W)  =  Xx^:A.[e,xfx]M 

Note  that  in  the  lambda  case  we  can  assume  with  no  loss  of  generality  that  x  does  not  occur  in  dom(6')Ucod(^). 

We  will  also  need  to  mediate  between  single-step  substitutions  stemming  from  ^-reduction  and  simulta¬ 
neous  substitutions.  We  define  how  to  compose  single  step  bindings  from  a  (i  reduction  with  simultaneous 
substitutions: 


[N/x]e  =  e 

[A7x](9  =  [N/x]e,{[N/x]M)/y 

Lemma  3.22  [[N/x]9]M  =  {N/x]i[e]M). 

Proof:  By  induction  on  the  structure  of  M. 

Corollary  3.23  Assume  x  to  be  fresh  in  6:  {N/x]{[6,x/x]M)  =  [0,N/x]M. 

By  hypothesis 
By  Lemma  3.22 
By  composition  of  substitution 
By  application  of  substitution  and  x  fresh 

□ 

For  a  context  ^  =  Xi:Ai, , . . . ,  we  introduce  the  identity  substitution  on  ^  as  =  xi/xi,..  .,Xn/xn- 

Lemnia  3.24  (Identity  Substitution)  //r;n;  A  b  M  :  A,  then  q  a)]A/  M. 

Proof:  By  induction  on  M.  ^ 

We  extend  the  notion  of  logical  relations  to  contexts,  exactly  as  in  the  simply  t^ed  case:  a  substitution 
6  is  in  the  relation  |^|  if  for  every  binding  M/x  such  that  x:A  is  in  then  M  is  in  |.4J. 

Definition  3.25 

1.  H  iffe^t. 

2.  $b/9  G  I(^,a::yl)l  iffO^e^M/x,  b  M  G  !>!]  and  $  b  (9'  € 

We  remark  that  contexts  are  not  ordered,  hence,  for  ^  =  (F,  H,  A)  we  will  identify,  for  example,  [’?&,  xrA] 
with  [(r,x;A,n,A)l. 

Lemma  3.26  (Weakening  for  Logical  Relations)  7/  $  h  0  €  [A],  then  ($,x:A)  h  ^  €  [A]. 

Proof:  By  induction  on  the  structure  of  the  given  derivation.  ° 

Lemma  3.27  (Well-typed  Terms  are  in  the  Logical  Relation)  7/ F;  fl;  A  b  M  :  A,  then  for  every  # 
such  that  $  h  0  €  [(F,  fl,  A)J,  #  b  [6]M  €  |A]. 

Proof:  By  induction  on  the  typing  derivation  X>::F;n;AbM  :A: 


Proof: 

[Nfxmx/x])M  = 
[[N/x]ie,x/x)])M  = 
[[N/x]e,i[N/x]x)/x)])M  = 
[61,  N/x]M 
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Case: 

V  =  - - ^ 

(r,  X'.A)]  0;  •  h  a;  :  A 

#h0e|(r,a::A,n)l 
$  H  e{x)  6  [AJ 
$  h  [0]x  €  [A] 

Case: 

p  = - Id} 

r;fi;a::A  h  x  :  A 

^l-Oel(r,Q,x:A)] 

$  I-  e(x)  e  [A1 
$  F  [9]x  e  [A] 


Case: 


c:A  e  E 
F;  fi;  •  h  c  :  A 


Con 


Immediate  by  Lemma  3.20  and  definition  of  substitution. 


By  assumption 
By  definition  of  [•] 
By  definition  of  substitution 


By  assumption 
By  definition  of  [•] 
By  definition  of  substitution. 


Case: 


(r,a::A);n;AI-M:B 

P  = - A  7 

r;n;A  h  Ax“:A.  M  :  A  A  B 


(r,x;A);n;AI-M:B 
#b^G[(r,n,A)i 
$'  >  $  and  $'  h  AT  €  fAJ 
$'l-(0,iV/x)€l(r,x:A,fi,A)] 

I-  [e,N/x]M  €  [B] 
h  {N/x]{[e,x/x]M)  e  IBJ 
h  (Ax“:A.[6i,x^]M)Ar“  G  {Bj 
f'  h  ([6'](Ax“:A.M))Ar“  G  |B] 
f  I-[6»](Ax“:A.M)gIA4B] 


By  sub-derivation 
By  hypothesis 
By  assumption 

By  definition  of  IJ  and  Weakening  (Lemma  3.26) 

By  IH 
By  Corollary  3.23 
By  Lemma  3.21 
By  definition  of  substitution 
By  definition  of  [A  A-  B] 


Case: 


F;  (n,x:A);AI-M:B 

^ 

F;n;AI-Ax°:A.  M:A4B 


F; (n,x:A);Al-M  :B 
$l-e  G[(F,fi,A)] 

#'  >  $  and  h  AT  G  [A] 
t'l-(0,Ar/x)G|(F,n,x:A,A)] 
h  [9,  N/x]M  G  [B| 
h  [Ar/x]([6',x/x]M)  G  [B1 
h  (Ax‘':A.{^,x/x]M)AfO  G  [B] 
h  ([6>](Ax®:A.M))Ar°  G  IB| 

#  I-  [^KAxO :  A.  M)£  (A  A-  Bj 


By  sub-derivation 
By  hypothesis 
By  assumption 

By  definition  of  [•]  and  Weakening  (Lemma  3.26) 

By  IH 
By  Corollary  3.23 
By  Lemma  3.21 
By  definition  of  substitution 
By  definition  of  [A  A  B] 


T]n]{A,x:A)h  M  :B 
P  =  — ^ - 

T;n;A\-Xx^:A.M:A^B 


4/ 


Case: 
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F;n;(A,a::A)  b  JVF  :  B 

By  sub-derivation 

$b0€[(F,fi,A)] 

By  hypothesis 

$  and  b  TV  G  [A] 

By  assumption 

#'b(0,TV/x)G  [(F,n,A,x:A)l 

By  definition  of  I*]  and  Weakening  (Lemma  3.26) 

b  [0,TV/x]TW  G  |B1 

By  IH 

b  [N/x]{[e,x/x]M)  G  [B] 

By  Corollary  3.23 

b  {Xx^:A.[e,x/x]M)N^  G  |B| 

By  Lemma  3.21 

$'b  ([0](Aa;i:A.Tl/))TVi  G  [BJ 

By  definition  of  substitution 

^'\-[9]{\x^:A.M)  G  [A  AB] 

By  definition  of  1^4  -4  B] 

F;n;AbTW 

:AAB  (r,A);n;-h  AT:  A 

-D  = 

- A  B 

r;n;Af- 

$b0G[(r,n,A)i 

By  hypothesis 

F;n;AbT\^:  A  AB 

By  sub-derivation 

$  b  [6'jTlf  G  [A  A  B1 

By  IH 

(F,A);n;-bTV:  A 

By  sub-derivation 

#  b  [9]N  G  [A] 

By  IH 

$  >  $ 

By  rule 

$  b  ([6l]TVf)([6l]TV)“  G  [B1 

By  definition  of  I*] 

$  b  [9](M  TV)“  G  [B| 

By  definition  of  substitution 

Case: 


r;H;AhM:AAH  (T,  A);  ■  F  TV  :  A 

P  = - r - Ae; 

F;  H;  A  h  M  H 


$i-eeI(r,n,A)l 
r;n;Af-M:A  AB 
$  h  [6']M  e  |A  A  Bl 

(r,n,A);-;-F7V:^ 

$  h  [0]Ar  €  lAj 
$  >  $ 

$  I-  ([0]M)([0]iV)O  €  IB] 
$  h  [61]  (M  N)°  G  [B1 


By  hypothesis 
By  sub-derivation 
By  IH 
By  sub-derivation 
By  IH 
By  rule 
By  definition  of  [-J 
By  definition  of  substitution 


(F,  A;v);  H;  Aa^  b  M  :  A  A  B  (F,  Aa^);  H;  A;v  b  :  A 

V  = - ^ - Ab 

F;H;(AAr,Ayv)  h  M  :  B 


$be€l(F,H,(AAr,A;v))l 
(F,AAr);n;AAf  bM:A  AB 
$  b  [e]M  e  lA  A  B1 
(F,  Aat);  fl;  b  TV  ;  A 
$  b  TV  e  [A1 
$  >  $ 

$  h  ([0]M)([0]iV)i  ^  l^j 
$  h  [e]{M  iV)i  G  IB] 


By  hypothesis 
By  sub-derivation 
By  IH 
By  sub-derivation 
By  IH 
By  rule 
By  definition  of  [•] 
By  definition  of  substitution 

□ 


Lemma  3.28  ^  h  idiif  €  l^l- 
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Proof:  By  a  straightforward  induction  on  ^  using  Lemma  3.20(2).  □ 

Theorem  3.29  (Canonical  Form  Theorem)  7/ F;  Q;  A  h  M  :  A,  then  there  is  N  such  that  (r,n,  A)  h 
MtN  :A  and  r;n;AhiVfr  A. 

Proof:  Assume  r;^;  A  h  M  :  A:  By  Lemma  3.28  (r,ft,A)  f-  id(r,Q,A)  ^  hence,  by  Lemma 

3.27  (r,n,A)  h  [zd(r,Q,A)]Af  €  |A]  and  thus  by  Lemma  3,24  (r,f2,A)  h  M  G  [A|;  by  Lemma  3.20(1), 
(F,  n,  A)  h  M  iV  :  A  for  some  N.  Additionally,  by  Theorem  3.17(2)  F;  0;  A  h  7/  A.  □ 

We  shall  abbreviate  the  statement  of  the  canonical  form  Theorem  as  F;  f);  A  h  M  IIJ.  A. 

We  will  also  need  the  typing  and  the  canonical  form  rule  for  existential  variables.  We  use  $  for  arrays  of 
(distinct)  labeled  bound  variables;  if  we  set  ^{x)  =  k.  We  say  that  F;  fi;  A  h  $  oA:  if  the  following 

holds: 


11 

x  E  dom(F) 

$(x)  =  0 

X  E  dom(n) 

$(a;)  =  1 

X  E  dom(A) 

Moreover,  if  F;  H;  A  f-  M  :  A  and  F;  H;  A  h  #  ofc  we  may  write  h  M  :  A.  We  assume  that  the  type  A  in 
Ea  is  well-behaved  w.r.t.  $. 

F;  Q;  A  h  $  o/c  F;  H;  A  h  ^  :  a 

- Pat  - cPat 

F;  fi;  A  h  :  a  F;  fi;  A  h  a 

Remark  3.30  Exclusivity  (Lemma  3.13)  holds  for  open  patterns  as  well. 

Proof:  Assume  that  both  F;  Q;  (A,  xiC)  b  P  $  :  A  and  F';  (ni^a;:^);  A^  b  P  $  :  A.  Then  T;il]{A,x:C)  b 
^  ok  and  F';  (n',x:C);  A'  b  $  oA:  iff  $(a;)  =  1  and  #(rr)  =  0,  impossible.  □ 

3.3  Related  Work  on  Strictness 

Church  original  definition  of  the  set  A/  of  (untyped)  A-terms  [Chu41]  has  this  clause  for  abstraction: 

If  M  E  A/  and  x  E  FV{M)^  then  Xx  .M  £  A/. 

i.e.  in  this  language  there  cannot  be  any  vacuous  abstractions.  It  can  be  shown  that  the  only  difference 
between  A/  and  A  -  the  usual  definition  of  A-terms  -  is  the  lack  of  the  combinator  K.  Indeed,  it  can  be 
shown  that  every  term  in  A  can  be  defined  from  A/  and  K.  The  A7-calculus  is  the  theory  of  conversion 
restricted  to  A/  terms.  This  fragment  was  favored  by  Church  over  the  nowadays  usual  calculus,  because, 
among  other  issues,  it  is  strong  enough  to  represent  every  partial  recursive  function,  albeit  not  in  the  most 
efficient  way:  see  [BarSO]  Chapter  2.2.2  —  2.2.5  and  more  extensively  in  Chapter  9.  See  [GdQ92]  for  an 
historical  account. 

This  would  correspond  in  a  simply  typed  setting  to  allowing  only  strict  types:  more  formally  if  we  denote 

with  A"^  the  terms  typable  in  a  Curry  system  based  on  the  A  function  space,  then  A“^  =  A“^  fi  A/,  as  noted 
for  example  in  [BF93]. 

The  combinatory  counterpart  of  this  calculus  obviously  excludes  K  and  consists  of  I,  W,  B,  C,  see  [CF58] 
and  [BarSO],  Appendix  B  for  an  alternative  basis.  Those  are  the  axioms  of  what  Church  called  weak  impli- 
cational  logic  [Chu51],  i.e.  identity,  contraction,  prefixing  and  permutation.  This  establishes  the  link  with 
an  enterprise  born  from  a  very  different  origin. 

The  relevance  logic  project  emerged  in  fact  in  the  early  sixties  out  of  Anderson  and  Belnap’s  dissatisfaction 
with  the  so-called  'paradoxes  of  implication’,  let  it  be  material,  intuitionistic  or  strict  (in  the  modal  sense  of 
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Lewis  and  Langford);  it  was  built  on  the  work  of  Moh,  Church,  Parry  in  the  fifties^  and  climaxed  with  the 
publication  of  the  first  volume  of  Entailment  [AB75]  (the  second  one  was  published  only  in  1992  [AAB92]). 
Following  Girard’s  and  Belnap’s  [Bel93]  suggestion,  we  will  not  refer  to  our  calculus  as  relevant,  but  as  strict 
logic,  as  the  former  may  also  satisfy  other  principles  such  as  distributivity  of  arrow  over  conjunction. 

On  an  unrelated  front,  starting  with  Mycroft’s  seminal  paper  [MycSO],  compile-time  analysis  of  functional 
programs  concentrated  on  strictness  analysis  in  order  to  get  the  best  out  of  call-by-value  and  call-by-need 
evaluation;  first  in  terms  of  abstract  interpretation,  later  by  using  non-standard  types  to  represent  these 
‘intensionaP  information  about  functions  (see  [Jen91]  for  a  comparison  of  these  two  techniques).  However, 
earlier  work  as  [TMM89]  used  non-standard  primitive  type  to  distinguish  strict  or  non-strict  terms,  closed 
only  under  intuitionistic  implication.  Not  forgetting  Wadler’s  early  paper  [Wad90]  on  using  linear  logic  for 
sharing  analysis,  Wright  [Wri91,  Wri92]  seems  the  first  one  to  have  extended  the  Curry-Howard  isomorphism 
to  (the  implicational  fragment  of)  relevance  logic  and  explicitly  connected  the  two  areas,  although  both 
[Bel74]  and  [Hel77]  had  previously  recognized  the  link  between  strictness  and  relevance^. 

In  [BF93]  the  author  summarizes  the  above-mentioned  idea  of  expressing  via  types  the  reduction  behavior 
of  terms.  He  characterizes  in  an  operational  sense  the  class  of  terms  which  need  their  argument,  the  idea 
being  that  not  only  each  terms  need  to  be  strict,  but  so  does  the  result  of  each  application.  M  is  not  strict 
if  for  all  N  no  descendant  of  N  is  in  the  normal  form  of  M  N.  This  class  is  then  shown  to  be  equivalent  to 
the  Curry-typable  fragment  of  A/. 

We  now  discuss  the  Curry  typing  system  proposed  there,  which  makes  available  strict,  invariant  and 
intuitionistic  types:  yet,  it  is  biased  towards  inferring  strictness  information,  which  ultimately  lead  to  a 
difference  of  expressive  power  from  our  calculus.  Some  rules  are  presented  in  Figure  3.7  -  we  omit  the 
introduction  rules  which  are  as  expected  -  transliterated  in  our  notation.  There  is  only  one  context,  where 
variables  carry  their  occurrence  status  as  a  label.  Being  a  term  assigment  system,  there  are  no  different 
abstractors  or  applicators,  but  different  rules.  Note  that  there  is  only  one  identity  rule,  the  strict  one, 
so  that  e.g.  Ax .  X  :  A  A  is  not  derivable,  as  it  can  be  given  the  more  stringent  type  A  A  A.  Let 
us  concentrate  on  the  elimination  rules:  the  side  condition  enforces  the  information  ordering,  so  that  for 
example  A'  A  H  <  A  provided  that  A  <  A',H  <  This  allow  to  infer  by  strict  application 

M  N  :  C  from  F  h  M  :  (A  A  B)  A  C  and  F'  h  A  A  The  latter  is  instead  forbidden  in  our  system 
by  the  labeled  reduction  rules.  The  rationale  on  the  substitution  operation  on  context  is  that  in  app  A 
A  is  not  relevant  to  B,  so  all  hypothesis  should  be  deleted.  Instead,  in  order  to  preserve  every  variable 
declaration,  their  strict  label  is  changed  into  irrelevant.  This  would  amount  to  moving  the  strict  variables  in 
the  irrelevant  context  in  our  system.  Note  the  difference  with  our  rule,  where  the  latter  variables  are  moved 
in  the  undetermined  context.  Similarly  in  app  A  strict  labels  turn  into  undetermined.  Moreover,  having  only 
one  context,  the  author  needs  a  strategy  to  deal  with  same  binding  with  different  annotations;  the  solution 
is  that  while  propagating  premises  top-down  a  binding  x^:A  supersedes  x^:A  which  in  turn  supersedes  x®:A. 

The  author  goes  on  (see  also  [WBF93])  detailing  a  system  which  refines  the  strict  calculus  by  allowing  to 
count  usage,  motivated  by  sharing  analysis;  thus  A  B  denotes  a  term  where  A  is  used  i  times  to  infer  B. 
Undetermined  usage  is  then  added  via  dummy  variables.  This  unfortunately  leads  to  an  undecidable  type 
checking  problem. 

In  [Wri96]  Wright  introduces  an  Annotation  Logic  as  a  general  framework  for  resource-conscious  logics. 
The  annotation  logic  has  formulae/types  of  the  form 

A::=X'‘\A^B 


for  any  annotation  k  and  has  structural  and  connective  rules  as  well  as  annotation  ones: 


r*  h 


r,>i'  hB 

- hA: 

r,  h  B 


The  latter  implement  rules  such  as  promotion/dereliction.  By  instantiation  with  different  algebras  of  anno- 
tation,  we  get  systems  as  linear,  strict  logic  as  well  as  various  other  usage  logics.  An  abstract  normalization 

^Some  early  work  in  the  twenties  in  the  Soviet  Union  was,  at  the  time,  not  accessible. 

2 Note  that  we  have  became  aware  of  this  literature  only  after  having  fully  developed  our  calculus  which  was  modeled  after 
the  two-zoned  linear  logic  calculus. 
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- var 

r[l  :=  0],x^:A  \-  x  :  A 

r'\-  N:  A'  , 

- app  — > 

r,ri- MiV:R 

r\-M  :A-^B  D-N  :  A' 

- app 

r,r'[l  :=0]hMiV:R 

ThMiAAR  T'\-N:  A' 

- —  app 

r,r'[l  :=u]\-M  N:B 

All  elimination  rules  have  the  condition  A'  <  A 
Figure  3.7:  The  system  in  [BF93] 

procedure  is  sketched,  which  however  needs  commutative  conversions  (e.g.  the  case  contraction/arrow  elimi¬ 
nation)  already  in  the  purely  implicational  fragment.  Another  problem  is  that  properties  as  loosening  should 
in  our  opinion  be  admissible  rather  than  primitive  rules. 

Bunched  Implication 

In  a  series  of  papers  Pym  et  at.  (see  [Pym99]  and  references  therein)  introduce  a  first-order  and  its  corre¬ 
spondent  dependent  type  calculus  which  aim  to  couple  multiplicative  and  addititive  implication.  The  two 
are  distinct  by  allowing  two  different  constructors  for  contexts  which  are  called  “bunches” .  This  is  differ¬ 
ent  from  a  zoned  calculus  as  bunches  can  be  nested.  As  expected,  contraction  and  weakening  are  allowed 
for  additive  assumptions  but  not  for  multiplicative  ones.  The  resulting  logic  can  be  seen  as  variant  of  rel¬ 
evant  logic,  as  there  is  no  requirement  that  an  argument  to  a  multiplicative  function  must  be  used  only 
once,  but  only  that  it  should  not  share  with  other  variables  in  the  (proof)  term.  Thus,  in  out  terminology 
A  ^  {{A  A  A'  B)  B)  is  derivable,  but  not  A  A  {{A  A  A  A  B)  A  B).  Moreover,  the  logic  allows 
additive  conjunction  to  distribute  on  additive  disjunction,  which  is  not  allowed  in  multiplicative  additive 
intuitionistic  linear  logic.  Its  naturality  should  follow  from  its  categorical  semantics.  Its  correspondent 
dependent ly- typed  calculus,  dubbed  RLF  is  proposed  as  a  resource  conscious  conservative  extension  of  LF. 

Relevant  Logic  Programming 

In  [Bol90]  the  author  presents  his  approach  to  relevant^  i.e.  in  our  terminology  strict  logic  programming  as 
part  of  his  dissertation  on  ‘Conditional  Logic  Programming’  [Bol88].  He  makes  a  (weak)  case  for  its  utility 
in  applications  such  as  planning  and  diagnosis,  whose  hypothetical  queries  should  indeed  use  their  premises. 
The  system  boils  down  to  a  strict  version  of  N-Prolog.  Unfortunately  the  author  was  only  partially  aware 
of  Girard’s  work  on  linear  logic,  and  entirely  not  aware  of  the  notion  of  uniform  proof  [MNPS91],  although 
he  gives  a  brave  attempt  to  a  mainly  proof-theoretic  approach:  thus,  as  Gabbay  and  McCarthy  before, 
he  embarks  on  an  awfully  complicated  and  low-level  description  of  an  interpreter  which  enforces  the  usage 
requirement,  for,  I  think,  the  following  fragment;  note  that  there  are  two  conjunctions:  &  is  additive  and  A 
multiplicative. 

Assertions  A  ::=  P  \  Q  A  P  \  A1&LA2  |  Vx .  A 

Queries  Q  ::=  P  \  Qi  A  Q2  \  Qi  Q2  \  A  A  Q  \  3x  .  Q 

If  we  were  formulating  a  strict  logical  framework  in  the  sense  of  [Cer96],  the  former  system  would  therefore 
be  a  strict  (no  pun  intended)  subset  of  the  latter. 


Chapter  4 

The  Relative  Complement  Problem 
for  Higher- Order  Patterns 


We  introduce  in  the  next  Section  4.1  a  restriction  of  the  language  for  which  complementation  is  possible 
(Section  4.2).  Moreover,  in  Section  4.3  we  will  give  an  unification  algorithm  for  this  fragment.  Section  4.4 
shows  how  the  former  operations  induce  a  boolean  algebra  over  finite  sets  of  terms. 

4.1  Towards  Term  Complementation 

Now  that  we  have  developed  a  calculus  which  is  potentially  strong  enough  to  represent  the  complement 
of  linear  patterns,  we  need  to  answer  two  questions:  how  do  we  embed  the  original  A-calculus,  and  is  the 
calculus  now  closed  under  complement? 

We  reiterate  that  we  require  that  our  complement  operator  ought  to  satisfy  the  usual  boolean  rules  for 
negation: 

1.  (Disjointness)  It  is  not  the  case  that  some  M  is  both  a  ground  instance  of  N  and  of  Not  (A/"). 

2.  (Exhaustivity)  Every  M  is  a  ground  instance  of  N  or  of  Not(A^). 

Unfortunately,  while  the  first  property  follows  quite  easily  from  Corollary  3.14,  it  turns  out  that  exhaus¬ 
tivity  does  not  hold  in  general  in  the  presence  of  intuitionistic  application.  In  fact,  consider  the  application 
y  while  it  is  clear  that  T  h  y  £  \\E  x^  y^\\,  it  is  not  the  case  that  F  f-  y  G  ||E  x^  y^\\  or 

r\-yx^e\\Ex^  y% 

However,  the  main  result  of  this  Chapter  is  that  the  complement  algorithm  presented  in  Definition  4.13  is 
sound  and  complete  for  the  fragment  which  results  from  the  natural  embedding  of  the  original  simply-typed 
A-calculus;  this  is  sufficient  for  our  intended  application.  We  will  proceed  in  two  separate  phases: 

•  Restrict  to  a  class  of  terms  (that  we  call  simple)  for  which  the  crucial  property  of  tightening  (Lemma 
4.5)  can  be  established,  yielding  exhaustivity  as  a  corollary. 

•  Bring  simple  terms  to  ‘full  application’. 

4.1.1  Simple  Terms 

Recall  that  we  have  introduced  strictness  to  capture  occurrence  conditions  on  variables  in  canonical  forms. 
This  means  that  first-order  constants  (and  by  extension  bound  variables)  should  be  considered  strict  functions 
of  their  argument,  since  these  arguments  will  indeed  occur  in  the  canonical  form.  On  the  other  hand,  if  we 
have  a  second  order  constant,  we  cannot  restrict  the  argument  function  to  be  either  strict  or  vacuous,  since 
this  would  render  our  representations  inadequate. 
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Example  4.1  Continuing  Example  2.6,  consider  the  representation  of  the  K  combinator: 

^Xx.Xy.x'^  =  lam  {Xx’.exp.lam  {Xyiexp.  x)) 

Notice  that  the  argument  to  the  first  occurrence  of  ^  lam '  is  a  strict  function,  while  the  argument  to  the 
second  occurrence  is  an  invariant  function.  If  we  can  give  only  one  type  to  ^  lam^  it  must  therefore  be 
(exp  -4  exp)  -4  exp. 

Generalizing  this  observation  means  that  positive  occurrence  of  function  types  are  translated  to  strict 
functions,  while  the  negative  ones  to  undetermined  functions.  We  can  formalize  this  as  an  embedding  of 
the  simply-typed  A-calculus  into  a  fragment  of  the  strict  calculus  via  two  (overloaded)  mutually  recursive 
functions  ()"  and  O'*".  First,  the  definition  on  types: 

(A  ^  5)+  =  A-  4 
(A-4J5)-  =  A+4^- 

a~  =  a~^  =  a 


We  extend  it  to  canonical  terms  (including  existential  variables),  signatures,  and  contexts;  we  thusly  need 
the  usual  inductive  definition  of  canonical  terms  in  the  simply- typed  A-calculus,  which  can  be  obtained  by 
dropping  labels  (Theorem  3.15)  from  the  definition  of  canonical  form  in  Figure  3.5.  Note  that  embedding 
only  canonical  forms  rules  out  the  case  of  ‘4— ing’  a  lambda  expression,  as  well  as  ‘ — ing  abstractions  and 
non-atomic  h  €  dom(r  U  S. 


(Ax:  A  M)- 

= 

Ax“:yl+.M- 

M- 

rr 

M+  f 

= 

X 

c+ 

c 

{Ea  xi...  x„)+ 

Fa-  x^..x“ 

(M  N)+ 

M+  {N-y 

(•)+ 

— 

(r,x:Al)+ 

r+,x:A+ 

(S,a:f2//)e)+ 

= 

T,'^,a:type 

(E,c:A)+ 

= 

S+,c:A+ 

Example  4.2  Coming  back  to  Example  4 A: 

(lam  (Xxiexp.lam  (Xyiexp.x))) 


+  _ 


=  lam  (Xx^  :exp.lam  (Xy^  :exp.x)^) 


IM 


The  image  of  the  embedding  of  the  canonical  forms  of  the  simply-typed  A-calculus  gives  rise  to  the 
following  fragment: 

Simple  Terms  M  ::=  Ax^:A+.  M  |  (. . .  (ft  Mi)^ . .  Mn)^  |(...(^A-  xi)^...Xn)^ 


We  often  abbreviate  (..  .(h  Mi)^ . . .  Mn)^  as  h  similarly  we  shall  use  xJJ.  Note  that,  by  the  use  of 
7y-long  /3-normal  forms,  such  terms,  as  well  as  pattern  variables,  must  be  of  base  type. 

To  prove  the  correctness  of  the  embedding  (Theorem  4,4),  we  will  need  the  following: 

Lemma  4.3  IfT\-  Ea  ^  :  u?  then  F"*";  ’  b  Ea-  :  a. 

Proof:  A  straightforward  induction  on  A.  □ 

Theorem  4.4  (Correctness  of  ()^) 
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1.  IfTh  M^A,  then  M-  A- . 

2.  //r  h  M  I  A,  then  T+-,  ■  P  M+  i  A+. 


Proof:  By  mutual  induction  on  the  proofs  of  Di  P  I-  M  -ft-  A  and  X>2  P  h  M  4-  A. 
Case: 


n. 


c;A  €  E 

-  atmCnst 

P  h  c  4-  A 


Since  =  c  and  E‘''(c)  =  A"''  we  conclude 


- cldc 

•  I-  c+  4.  A+ 


Case: 


T>>  = - atmVar 

(P,3:;A)  f-  a;  4-  a 

Since  x'^  =  x  and  P"*"  {x)  =  A"*"  we  conclude 

e  = - c/d“ 

(P,a;:A)+  l-a;+  iA+ 


Case: 


P>2 


r\-  M  iB-^  A  ThNi[B 
P  h  M  iV  4.  A 


atmApp 


Ph  M4.R  A 

P+;  •  I- M+ 4- (R A)+ 

P+;-;- 1- M+ ;R“  4  A+ 
r\-NitB 
P+;-;-l-W- tR" 

P+;-;-  1-M+  4.A+ 

P+;-;-  P  (M  N)+  iA+ 

Case: 

P  f"  Bj\  Xji  .  fl 

L>2  — - canPat 

P  h  Ra  ^  P  a 


P  I-  x„  :  a 
P"*”;  ■  1“  P'a-  ■  a 

P+;-;-l-Ra-  Kla 

P+;-;-I-(Ra^)+  :a+ 

Case: 

r\-M  la 

= - canAtm 

ri-Mfra 

M  la 

r+;-;.h 
r+;-;-  h 
r+;-;-  HM- 


By  sub-derivation 
By  IH  2 
By  the  embedding 
By  sub-derivation 
By  IH  1 
By  rule  E 
By  the  embedding 


By  sub-derivation 
By  Lemma  4.3 
By  rule  cPat 
By  the  embedding 


By  sub-derivation 
By  IH2 
By  rule  cAt 
By  the  embedding 
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Case: 


V, 


- canLam 


T,x:AhMi[B 

(r,a;:A)+  h  M"  fr 

(r+,x:A+)hM-frB- 

r+;-;-  I-  Ax^:A+.Mfr  A+  4  B~ 

r+;-;- h  (Arr:A.M)-  if  {A  ^  B)- 


By  sub-derivation 
By  IHl 
By  the  embedding 
By  rule  c  4  / 
By  the  embedding 


□ 

From  now  on  we  may  hide  the  ()^  decoration  from  strict  application  of  constants  in  examples.  Moreover, 
for  every  judgment  J  on  simple  terms,  we  will  shorten  F;  •  h  J'  into  T  \-  J. 

We  can  now  prove  the  crucial  tightening  lemma.  It  expresses  the  property  that  every  closed  simple  term 
is  either  strict  or  vacuous  in  a  given  undetermined  variable. 


Lemma  4.5  (Tightening)  Let  M  be  a  closed  simple  term: 

L  If  (r,  x:C);  A  f-  M  i  A,  then  F;  (A,  x:C)  I-  M  ^  A  or  F;  (fi,  x:C)\  A  h  M  ;  A. 

2.  If  (F,  x\C)‘  fi;  A  h  M  fr  A,  then  F;  11;  (A,  x:C)  h  M  fr  A  or  F;  (a,  x:C);  A  h  M  fr  A. 

Proof:  By  mutual  induction  on  Vi  ::  (T^xiC);  D;  A  h  M  J.  A  and  V2  ::  (F,x:C);  H;  A  h  M  jl  A. 


Case: 


Vi 


c:A  e  S 


Then 


(F,x:C);n;-hc;A 

c:A  E  E 
F;  (n,x:C7);-  he;  A 


•  cldc 


■  cldc 


Case: 

Then 

Case: 

Then 

Case: 

Then 


Vi  = - cld^ 

{T,x:C,y:A);Q-,  ■  y  i  A 


£  = - cld^ 

{r,y.Ay,{n,x:cy,-\-yiA 


Vi  = - c/d“ 


f  = - cld^ 

T-,n;x:ChxiC 


Vi  = - IS 

{T,x:C);Ct;y:A  y  i  A 


e  = - IS 

T;  {(l,x:C);y:A  \-y  i  A 


{T,x:Cyn-,A\-  M  ia 

T>2  = - cAt 

{T,x:CyQ;Ab  M  ta 


Case: 
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(T,  x:Cy,  n-,A  \-  M  ia 

By  sub-derivation 

r;Q-,iA,x:C)  h  M  ;  a  or  P;  (fl,a::C7);  A  h  M  4- o 

By  IH  1 

Subcase:  P; fi;  (A, x:C)  M  ia 

By  assumption 

T-n;{A,x:C)\-  M 

By  rule  cAt 

Subcase:  P;  A  h  M  J.  a 

By  assumption 

P;(n,a;:C');A  h  Mlto 

By  rule  cAt 

Case: 

{r,x:C,y:Ay,n-,A\-MitB 

^  ~  (r,  x:C);  H;  A  h  {Xy^  :A,M)i{AAB^^ 

(r,  y:A);  fi;  (A,  x:C)  h  M  i\  B  or  {T,  y:A);  (fi,  x:C);  A  h  M  IT 

Subcase:  {T,y:A)]Q,]{A,x:C)  M  ^  B 

T-  Q;  (A,  x:C)  h  {Xy^  :A.M)itA^B 

Subcase:  (F,  y: A) ;  A  h  M  ff:  symmetrical 

Case: 


(r,x:C,AAr);l);AA^  h  M  i  A  4  ^  (F,  x:C,  Am);  fi;  A^v  h  iV  fr  A 


^ - 

{T,x:Cyn;{AM,A^)\- M  NUB 

cAE 

There  are  four  sub-cases,  stemming  from  IH  1  and  2: 

1. 

ir,ANyn-,{AM,x:C)\-M  iA^B 

By  assumption 

(PAm);!!;  (x:C,  A^)  P  AT  ^  A 

By  assumption 

(P,AM,a::C');n;ANpiV^A 

By  Loosening^  x 

P;  D;  (Am,  x:C,  An)\-M  N^B 

By  rule 

2. 

(p,  A;v);  (n,  x:Cy  AmPMPA4R 

By  assumption 

{r,AMy{n,x:cyAN\-NitA 

By  assumption 

P;  (fi,  x:Cy  {Am,An)\-  M  N^B 

By  rule 

3. 

{r,ANyn-,{AM,x:C)\- M  iA^  B 

By  assumption 

(P,AM);(D,x:C);A/vPiVirA 

By  assumption 

(P,x:C,AN);fI;AMpAflrPl 

By  Loosening^  x 

P;  fi;  {Am,x:C,  An)^  M  IB 

By  rule 

4.  Symmetrical  to  3. 


By  sub-derivation 
By  IH  2 

By  assumption 
By  rule  c  A  / 


□ 

We  remark  that  tightening  fails  to  hold  once  we  allow  non-simple  terms,  namely  intuitionistic  application. 
For  example  y\A  A  B,  x\A\  •  h  y  5  but  both  y:A  A  B\  •;  x:A  \/  y  x^  :  B  and  y:A  A  B;  x:A;  *  1/  y  x“  : 
This  suggest  that  simple  terms  are  not  only  a  useful  technical  device  to  achieve  term  complement  in  the 
simply-typed  case,  but  possibly  for  other  more  general  calculi  such  as  the  linear  A-calculus. 

Corollary  4.6  Let  M  be  a  closed  simple  term  such  that  F;  A  h  M  fti  ^4;  then  there  are  A',n'  such  that 
F  =  A',  fi'  and  •;  (fi,  Q');  (A,  A')  b  M  A. 


□ 


Proof:  By  induction  on  F,  using  Lemma  4.5. 
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n  =  dom(r)\  I  $ 
r  h  E  ^  Z  0“ 
r,x:A  h  M  ■( — >•  iV 


-  TrnPat 


rh  Ax“:A.M 


Xx^-.A.N 


■  TrnLam 


r  h  Ml  +— >  Wi  •  •  •  r  h  M„ 


r  h  /i  M 1 


■  TrnApp 


hK 


Figure  4.1:  Full  application  translation:  F  h  M  < — >  N 


4.1.2  Full  Application 

We  can  simplify  the  presentation  of  the  algorithms  for  complement  and  later  unification  if  we  require  any 
existential  variable  to  be  applied  to  every  bound  variable  in  its  declaration  context.  This  is  possible  for  any 
simple  linear  pattern  without  changing  the  set  of  its  ground  instances.  We  just  insert  vacuous  applications, 
which  guarantees  that  the  extra  variables  are  not  used.  In  a  slight  abuse  of  notation  we  call  the  resulting 
terms  fully  applied. 

We  describe  in  Figure  4.1.2  the  judgment  F  h  M  i — >  N  which  turns  a  term  M  into  an  equivalent  fully 
applied  term  N:  while  we  need  this  translation  specialized  to  simple  terms,  it  is  clear  how  to  generalize  this 
judgment  to  the  canonical  forms  of  any  strict  term. 

Example  4.7  Recall  the  simple  term  from  Example  2.8: 

lam  lexp.app  E  x) 


has  fully  applied  form 

lam  {Xx'^  lexp.app  {Z  x^)  x) 
for  a  fresh  existential  variable  Z  of  type  exp  A  exp. 

We  may  check  the  the  output  of  the  translation  is  indeed  fully  applied  w.r.t.  its  definition  in  Figure  2.3: 
Lemma  4.8  If  M  is  a  simple  term  and  F  h  M  i — >  Nj  then  T  N  f.a.  . 

Proof:  A  straightforward  induction  on  the  structure  of  the  given  derivation.  □ 

We  have  now  arrived  to  the  following  language,  where  the  labeling  on  flexible  patterns  is  unrestricted, 
still  called  “simple  terms” : 

Simple  Terms  M  Ax“:A+.  M  \  {. .  .{h  MiY  . . .  Mnf  1  (. . .  (E  x',* ) . . .  x'„" ) 

To  prove  the  set-theoretic  adequacy  of  the  translation,  we  will  need  the  following  irrelevance  Lemma. 
Lemma  4.9  (Irrelevance)  If  M  is  a  closed  simple  term,  then: 

1.  //F;(n,a::C7);AhM^  A  then  T;  Cl]  A  M  ft  A. 

2.  //F;(«,x:C);AhMiA,  F;  A  h  M  ;  A. 

Proof:  By  mutual  induction  on  X>i  ::  F;  {Cl,x:C);  A  \-  M  i  A  and  P2  •’  F;  (ri,a::C);  A  h  M  A. 

Case: 


c:A  e  E 


F;  (n,a;:C);-  hcl  A 


cldc 


£  = 


c:A  €  S 
F;  H;  •  h  c  i  A 


cldc 


Then 
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Case: 

Di  = - cld^ 

Then 

S  = - cld'^ 

{T,y:A);n;-h  y  iA 

Case: 

T>i  = - cld} 

P;  (D,x:C);y:A  h  y  4-  A 

Then 

^  = - c/d' 

P;  D;  j/:A  \-  y  I  A 

Case:  2)2  ends  in  cAt  by  IH  2. 

(P,y:A);(0,x:C);AhMir5 

V2  = - c  A  7 

P;  (fi,  x:C)\  A  h  (Ay“ :  A.  M)  fr  A  4  B 

(P,y;A);(fi,x:C);AhM^B 
(P,y:A);n;AhMirB 
P;n;A  h  (Ay“:A.M)  11  A  4  B 


By  sub-derivation 
By  IH  2 
By  rule 


(P,Ajv);(D,a::C);AMHMiA4B  (P,  Am);  (D,a::C);  A^r  H  iV -fr  A 

^  1, 

P;(n,x;C);(AM,Ayv)bM 

(P,  Ayv);  (0,  a::C);  Am  b  M  P  A  4  B 
(P,A7v);n;AM  PMPAAb 
(P,AM);(n,a::C);Ayvl-iVDA 
(P,AM);n;AyvbN^A 
P;n;(AM,Ayv)bMiV‘PB 

□ 


By  sub-derivation 
By  IH2 
By  sub-derivation 
By  IH  1 
By  rule 


Note  that  irrelevance  holds  for  any  strict  canonical  terms,  but  it  is  false  for  terms  containing  redeces. 
For  example  '\x:A\  •  h  (A?/® :  A.  c)  :  jB,  as  x  becomes  unbound  in  the  rightmost  premise,  but  •;  S  *  1/  • 

A.c)xO:B. 


Ground  Instances 

We  recall  that  we  assume  every  type  to  be  inhabited,  so  that  every  term  can  be  seen  as  the  intensional 
representation  of  the  set  of  its  ground  instances.  The  judgment  in  Figure  4.2  F  h  M  €  ||A^||  :  A  formalizes 
conditions  for  M  to  be  a  ground  instance  of  a  simple  linear  term  N  at  type  A.  We  then  extend  the  judgment 
to  sets  of  terms  of  the  same  type  as  follows: 

32:1  <z<n  T\-Me\\Ni\\:A 
- 

rhMGl|A^i--iVn||:A 

Remark  4.10  ^  h  M  E  \\Ea  ^\\  :  a  iff  M  i  t  ^  and  •  \-  t  :  A  iff  t  =  .S  and  z/  F;  fi;  A  h  $  ok,  then 
F;n;Ah5:A. 

This  fact  will  be  heavily  used  in  the  following. 
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M  ■  ht-.A 

- grFlx 

r  h  M  G  \\Ea  $11  :  a 

{T,x-.A)h  M  e\\N\\-.B 

- grLam 

Ph  Ax“:A.M€  ||Aa:“:A.Ar||  :  A  AB 

rh/i:i;4a  rf-MiG  IliVill  :  6  ||An||  : 

- - - - - ^ - gr  App 

rh/iMi  E||/iiVi||:a 

Figure  4.2:  Ground  instance:  F  h  M  €  ||iV||  :  A 


Lemma  4.11  (Ground  Instance  Weakening)  //F  h  M  G  ||A^||  :  A  then  {T,x:A)  h  M  €  |liV||  :  A. 

Proof:  By  induction  on  the  structure  of  the  given  derivation.  □ 

We  implicitly  use  the  above  lemma  to  weaken  different  contexts  with  common  basis  to  an  unique  one. 
Now  we  can  prove  that  the  the  full  application  translation  preserves  the  set  of  ground  instances. 

Theorem  4,12  (Adequacy  of  the  Full  Application  Translation)  Let  N  be  a  simple  term  of  type  A^ 
such  that  r\-N  then  F  h  M  E  \\N\\  :AiffT\-Me  \\Q\\  :  A. 


Proof:  By  induction  on  the  structure  of  2^  ::  F  h  M  i — >  N  and  inversion  onFhME||A'|l:i4  and 
Ff-ME  IIQII  :  A 

Case: 

n  =  dom(F)\  I  $  1 

V  = - TrnPat 

F  h  E  z 


(^)  F  h  M  E  \\Eb  and  Q  =  dom(F)\  |  $  | 

M  i  t  and  •  h  t  ^  for  •  h  ok 
A 
A 

M  if  for  ^\-t'  :B'  and  •  h  ($^,  ok 

F  h  M  E  ||Fb^ 

(f-)  F  h  M  E  \\Fb'  and  Q  =  dom(F)\  |  $  | 

M  if  for  ^\-f  :B^  and  $;  f);  •  t-  ok 

^;s*b5f^A 

A 

FhME  \\Eb  ^^11 


By  assumption 
By  inversion 
By  Remark  4.10 
By  Weakening^ 
By  Remark  4.10 
By  rule 

By  assumption 
By  inversion 
By  Remark  4.10 
By  the  canonical  form  Theorem 
By  Irrelevance  (Lemma  4.9) 
By  soundness  (Lemma  3.16) 
By  rule  and  Remark  4.10 


Case:  V  ends  in  TrnLam  or  TrnApp:  the  result  follows  from  a  straightforward  application  of  the  inductive 
hypothesis. 


□ 

From  now  on  we  tacitly  assume  that  all  simple  terms  are  fully  applied.  We  call  a  term  Ex^^  • .  -  a 
generalized  variable. 
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4.2  The  Complement  Algorithm 


The  idea  of  complementation  for  applications  and  abstractions  is  quite  simple  and  similar  to  the  first-order 
case.  For  generalized  variables  we  consider  each  argument  in  turn.  If  an  argument  variable  is  undetermined 
it  does  not  contribute  to  the  negation.  If  an  argument  variable  is  strict  then  any  term  where  this  variable 
does  not  occur  contributes  to  the  negation.  We  therefore  complement  the  corresponding  label  from  0  to 
1  while  all  other  arguments  are  undetermined.  For  vacuous  argument  variables  we  proceed  dually.  If 
r  =  . . .  ,Xn'An,  we  write  E  F^  for  the  application  of  E  . .  .Xn^.  Such  an  application  represents 

the  set  of  all  terms  without  existential  variables  and  free  variables  from  F. 

In  preparation  for  the  rules,  we  observe  that  the  complement  operation  on  terms  behaves  on  labels  like 
negation  does  on  truth- values  in  Kleene’s  three-valued  logic,  in  the  sense  of  the  following  table: 

Not(l)  =  0 
Not(O)  =  1 

Not(u)  =  u 


Note  that  these  labels  form  a  three-valued  semi-lattice  with  the  (reverse)  partial  information  ordering  1  < 

u,  0  <  u. 

Definition  4.13  (Higher-Order  Pattern  Complement)  Fix  a  signature  S.  For  a  linear  simple  term 
M  such  that  T  M  :  A  define  F  h  Not(M)  ^  N  :  A  by  the  following  rules: 


3^:1  <  i  E  {1,0} 


r  h  Not(E  . 


X 


ki-i 

i-1 


^i-1 


Not(^) 

i  • 


->  NotFlx 
a 


no  rule  for  k  =  u 


T,x:A\-Not{M)=>  N  :B 

- NotLam 

F  h  Not(Aa:^  :A.M)^Xx^:A,N:A^B 

p  E  S  U  F,  p  :  Ai  Ajji  — y  a  m  ^  0^  h  ^  g 

- ^ - NotApp^ 

r  h  Not(/i  Ml)  =>{...  {g  (Zi  r“))'  ...{Zm  r“))i  :  a 

3i:l  <  i  <  n  P  h  Not(Mi)  N  :  Ai 

- ^3::: - - — - - NotApp2 

F  h  Not(/i  M^)  {h  {Zi  T^)y  . . .  (Z,.i  F")'  TV'  (Z,+i  F")' . . .  (Zn  F"))'  :  a 


where  the  Z  ^s  are  fresh  logic  variables  of  appropriate  typing,  /i  E  S  U  F  and  F  h  /i  :  A  . . .  A  An  A  a. 

Note  that  a  given  M  may  be  related  to  several  terms  N  all  of  which  belong  to  the  complement  of  M.  Finally 
we  define  F  h  Not(M)  =  Af  :  A  if  Af  =  (AT  |  F  h  Not(M)  =>N  :A}. 

We  may  drop  the  type  information  from  the  above  judgment  in  examples  and  proofs;  we  will  write 
F  h  M  E  ||Not(7V)||  :  A,  when  F  h  Not(iV)  =  TV  and  F  h  M  E  ||TV||  :  A. 

Note  that  if  Ea  is  a  generalized  variable  considered  in  the  empty  context,  it  has  the  canonical  form 
X^,E  x^.  Hence  -  h  Not(F^>i)  =  0  as  expected. 

Example  4.14  Let  F  =  x:B,y:C: 

ri-Not(E 

ri-Not(£;x°2/i)  =  {Fx^j/“,GxV}  (4-1) 

It  is  worthwhile  to  observe  that  the  members  of  a  complement  set  are  not  mutually  disjoint,  due  to  the 
indeterminacy  of  u.  We  can  achieve  an  exclusive  ‘or’  if  we  resolve  this  indeterminacy,  that  is  by  considering 
for  every  x"^  the  two  possibilities  x^jX^.  Thus,  for  example,  equation  (4.1)  may  be  made  explicit  into: 

{FxV,Gx^y°,H  x°y°} 
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It  is  clear  that  in  the  worst  case  scenario  the  number  of  terms  in  a  complement  set  is  bound  by  2^;  hence 
the  usefulness  of  this  further  step  needs  to  be  pragmatically  determined. 

Example  4.15  In  the  signature  of  numerals: 

Not{\x^Xy^.s{E  = 

{Xx'^Xy^,x,  Xx^Xy^.y,  Xx^Xy^,  0,  Xx^Xy^,  s{Z  x^y'^)^ ,  Xx^Xy^ .  s{Z'  x'^y^y} 

We  can  now  revisit^  Example  2.8: 

Not(/a7n(Ax'":ea:p.  app  {E  x^)  x))  = 

{/am(Ax^  :exp.  app  {Z  x^)  (Z'  x^)), 
lam{Xx^:exp,app  (Z  x^)  (app  (Z'  x“)  (Z"x^)), 
lam{Xx^  :exp.  app  (Z  x^)  (lam{Xy'^  \exp.  Z'  x^  p^)), 
lam{Xx^  :expAam{Xy^  :exp.  Z  x^  P^)), 
lam{Xx^  :€xp.  x), 
app  Z  Z'} 


It  is  easy  to  show  that  simple  terms  are  closed  under  complementation. 

Theorem  4.16  If  M  is  a  simple  term  and  F  Not(M)  N  :  A,  then  N  is  simple. 

Proof:  By  induction  on  the  structure  of  P  ::  F  h  Not(M)  ^  N  \  A, 

Case:  V  ends  in  NotFlx:  immediate. 

F,  x:A  h  Not(M)  ^N:B 

V  = - NotLam 

Fl-Not(Ax^:A.M)  ^  Xx^:A.N  :AA  B 

By  sub-derivation  F,x:A  h  Not(M)  =>  N  :  B,  hence  by  IH  N  is  simple  and  so  is  Ax“ :  A.  N. 

Case: 

pGEUF,p:AiA,..-4  Am  d  m  >  Q,h  ^  g 

V  = - - - NotApp^ 

r  h  Not(/i  Mi)  (Zi  r“))i  ...{Zm  r“))i  :  a 

Since  every  {Zi  r“)  is  simple,  so  is  (. . .  {g  (Zi  F"))^ . . .  (Zm  F"))^. 

Case:  T>  = 

F  h  Not(Mi)  =>  N  :  Ai 

- - - NotApp^ 

F  h  Not(/i  Ml)  ^  (. . .  (/i  (Zi  F^))' . . .  (Zi_i  F^)'  iVi  (Z^+i  F^)' . . .  (Zn  F^))'  :  a 

By  IH  N  is  simple  and  as  above  so  is  every  {Zi  F^).  Thus 

(. . .  (/i  (Zi  F-))1 . . .  (Zi_i  F")  iVi  (Zi+i  r-)i . . .  (Zn  r^))i  is  simple. 


Corollary  4.17  If  M  is  a  simple  term,  and  F  h  Not(M)  =  J\f,  then  M  is  a  set  of  simple  terms. 


□ 


We  address  the  soundness  and  completeness  of  the  complement  algorithm  w.r.t.  the  set-theoretic  seman¬ 
tics:  the  proof  obligation  consists  in  proving  that  the  former  does  behave  as  a  complement  operation  on 
sets  of  patterns,  i.e.  it  satisfies  disjointness  and  exhaustivity.  Termination  is  obvious  as  the  algorithm  is 
syntax-directed  and  only  finitely  branching.  We  start  with  soundness:  for  ^  =  x*^  . .  xf  x^^-Y  •  • 

let  Not($)  =  ■  ■  xU  <+i  ■■■<■ 

iTo  avoid  too  many  indices  on  existential  variables,  we  adopt  a  convention  that  the  scope  of  existential  variables  is  limited 
to  each  member  of  a  complement  set. 
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Theorem  4.18  Let  T  Y-  N  :  A  he  a  simple  (linear)  term:  for  every  Q  such  that  T  1~  Not(A^)  ^  Q  :  A,  it  is 
not  the  case  that  both  F  h  M  E  ||iV||  :  A  and  F  h  M  G  ||(3||  :  A. 

Proof:  By  induction  on  the  structure  of  P  ::  F  h  Not(N)  Q. 

Case:  V  ends  in  NotFlx;  assume  F  h  M  G  ||E  $||  and  consider  XiiA  G  F: 


Subcase:  ^{xi)  =  1: 


$;ft;  (A,Xi:A)  h  ^  ok 

By  definition 

FKMg  ||Not(E;  4>)|| 

By  assumption 

Fb  M  G  IIZ  Not($)|| 

By  rule  NotFlx 

ft;  (A,  XjiA)  b  M  :  A  and  ft,  A);  Xi:A;  ■  M  :  A 

By  Remark  4.10 

1 

By  Corollary  3.14. 

Subcase:  ^{xi)  =  0:  symmetrically. 

Subcase:  ^{xi)  =  u:  trivially  true. 

Case:  V  ends  in  NotAppL  Suppose  both  F  b  M  G  ||/i  N)^\\  and  F  b  M  G  ||^  (Zi  F“)^  . 

..(Z„,  r“)i||forft^ff; 

but  this  is  immediately  impossible  by  rule  grApp  as  the  root  of  M  should  be  both  h  and  g. 

Case:  V  ends  in  NotApp^. 

r  h  Not(ft  i^)  =>(...  (/i  {Zi  r“))i . . .  (Zi_i  (z^+i  r“)' . . .  (z„  r“))i 

:  a  By  hypothesis 

r  h  Not(A^j)  ^  Q  :  Ai,  for  some  1  <  i  <  n 

By  sub-derivation 

rhhMle\\hl^\\:a 

By  assumption 

r  h  /i  Ml  G  lift  (Zi  r“)i . . .  (Zi_i  r“)‘  qi  (Zi+,  r“)i . . .  (z„  r“)i|| ;  a 

By  assumption 

ThMie  IliVill  :  A, 

By  inversion 

r  h  Mi  6  IIQII  :  Ai 

By  inversion 

1 

By  IH 

Case:  T>  ends  in  NotLam: 

r  h  Not(Aa:*‘  :A.N)=^Ax'‘:A.Q:AAB 

By  hypothesis 

r,x:A)-Not(N)^Q:B 

By  sub-derivation 

r  h  Aa:“ ;  A.  M  e  ||Aa;“ :  A.  NH  :  A B 

By  hypothesis 

r  f-  A3:“:A.M  G  i|Ax’‘:A.Ql|  :  A  A-  B 

By  assumption 

T,x:A\-  M  e\\N\\:  B 

By  inversion 

T,x:A\-  M  €\\Q\\:B 

By  inversion 

1 

By  IH 

□ 

Note  that  soundness  is  based  on  Corollary  3.14,  which  holds  for  any  strict  term:  thus  disjointness  does 
not  require  simple  terms. 

Lemma  4.19  Assume  F  h  Ea  ^  *  cl;  either  F  h  M  G  \\Ea  ^||  :  a  or  there  exists  I  <  i  <  n  such  that 
F  h  Not(E;^  $)  =>  Z  Not($)  :  a  and  F  h  M  G  ||Z  Not($)||  :  a. 

Proof:  Let  F;-;-  h  Af  :  A;  then  by  Corollary  4.6  there  exists  ft  and  A  such  that  F  =  ft,A  and  sft;  A  h 
M  ili  A.  Fix  x^^  for  1  <  z  <  n: 

Case:  For  every  x  G  dom(ft)  such  that  x  =  x\"  it  holds  ki  G  {0,n}  and  for  every  x  G  dom(A),  ki  G  {l,n}. 
Then  Fh  MG  \\E  $||. 

Case:  For  some  x  G  dom(ft)  such  that  x  =  it  holds  ki  —  1.  Then  F  b  M  G  ||Z  .  xf_^  x]  x^_^^  . .  .x]^||, 

that  is  F  I- Mg  ||Z|Not($)||. 
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M  ■  \ft-.A 

- ngrFlx 

r  F  M  ^  \\Ea  $11  :  a 

r,a;:APM^||iV||:H 


ri-Ax“:A.M^||Ax":A.Ar||  ;  A4B 


ngrLam 


r  h  /i :  A„  4  o  :  1  <  z  <  n.r  h  Mi  ^  \\Ni\\  :  Ai 

- - 22= - ngr  App 

r\-hMk^\\hN},\\:a 

g^h 

- - - — - ngrAppCls 

r^gMm^\\hN},\\:a 


Figure  4.3:  Not  a  ground  instance:  F  h  M  ^  \\N\\  :  A 


Case:  For  some  x  E  dom(A)  such  that  x  =  it  holds  kt  =  0.  Then  F  h  M  G  ||Z  .  x^_^  x^  xf^^ . . . 

that  is  Fh  Me  ||ZNot($)||. 

□ 


For  technical  reasons,  we  need  the  rules  complementary  to  Figure  4.2,  which  are  depicted  in  Figure  4.3: 
We  are  now  ready  to  prove  exhaustivity  of  complementation. 


Theorem  4.20  Assume  T  h  N  :  A  is  a  simple  (linear)  term;  then  z/  F  h  M  ^  ||A^||  :  A,  then  there  is  a  Q 
such  that  F  h  Not(N’)  =>  Q  :  A  and  F  I-  M  e  ||(3||  :  A. 


Proof:  By  induction  on  the  structure  of  D  ::  F  h  M  ^  \\N\\  :  A. 

Case:  V  ends  in  ngrFlx:  by  Lemma  4.19. 

Case:  T>  ends  in  ngrAppCls. 

r h ATI)  (. . . (5  (Zi  ny  ...{Zm  ny  ■. a 
r)-gMm€\\9  {Zi  r“)i . . .  r“)i||  :  a 

Case:  2?  ends  in  ngrApp: 

T\-h'Ml^\\hN^\\:a 
r  h  Mi  ^  IIA^ill  :  Ai  for  some  1  <  i  <  n 

r  h  Not(N’i)  ^  Q  :  Ai  and  r  1-  Mi  e  ||Q|| :  A, 

rhMj  €  IK^-  r“)i||  for  all  j  ^  z,l  <  j  <  n 

F  h  Ml)  =>(...  (/i  (Zi  F^))i . . .  (Zi-i  F^)i  iVi  (Zi+i  F-)i . . .  (Z^  F-))i  :  a 

F  h  /I  Ml  e  ||/i  (Zi  F")^  . .  (Z,_i  F“)i  Qi  (Z,+i  F-)^  . .  (Z^  F")i  1|  :  a 


By  hypothesis 
By  rule  NotAppi 
By  rule  grApp 


By  hypothesis 
By  sub-derivation 
By  IH 
By  rule  grFlx 
By  rule  NotLam 
By  rule  grApp. 


Case:  T>  ends  in  ngrLam. 


rhAx^:A.M^II\x^:ANll:A-^B 

r,x:AhM^ljNjl:B 

FjXiA  h  Not(iV)  =>  Q  :  B  and  F,x:i4  h  M  e  HQH  :  B  for  some  Q 
F  h  Not(Ax^ :^. N)^Ax^:A.Q:A^B 
Fh  Ax^:AMe  ||Ax«:AQ||  :  A4B 


By  hypothesis 
By  sub-derivation 
By  IH 
By  rule  NotLam 
By  rule  grLam 
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□ 

Corollary  4.21  (Partition  Lemma)  For  a  fixed  signature  T>  let  T  \-  N  :  A  be  a  (linear)  simple  term: 

L  (Disjointness)  It  is  not  the  case  that  T  \-  M  €  ||A^||  :  A  and  F  h  M  G  ||Not(7V’)||  :  A. 

2.  (Exhaustivity)  F  h  M  G  \\N\\  :  A  or  F  h  M  G  |iNot(7V)||  :  A. 

Proof:  Disjointness  is  entailed  by  Theorem  4.18,  exhaustivity  by  Theorem  4.20.  □ 

4.3  Unification  of  Simple  Terms 

As  we  observed  earlier,  we  can  solve  a  relative  complement  problem  pairing  complementation  with  intersec¬ 
tion.  We  thus  address  now  the  task  of  giving  an  algorithm  for  unification  of  (linear)  simple  terms.  We  start 
by  determining  when  two  labeling  are  compatible: 

ini=:uni  =  inti  =  l 
ono^uno  =  ont/:^o 

uDu  =  u 

Recall  that  $  is  a  list  of  labeled  bound  variables;  we  can  extend  the  intersection  operations  to  these 
contexts. 

•  n-  ==  • 

($,a:^)  n  =  (4>  n  )  if /c  n /c As  defined. 

Remark  4.22  \-  ok,  I  <  i  <  2,  then  (Fi  H  F2);  (Di, Ho);  (Ai ,  A2)  h  ($1  0^2)  ok,  where 

Fi  D  F2  denotes  set-theoretic  intersection  and  (4>i  fl  4>2)(x)  =  $i(x)  Pi  Indeed,  ($1  fl  ^2){^)  —  i'jj 

X  G  dom(Fi)  andx  G  dom{T2);  moreover  (4>i  n^2){3:)  =  0  iff  either  x  G  dom{Qi  UF2)  or  x  E  dom{Q2^^i)- 
Analogously  for  (^1  D  ^2)(2:)  =  1.  From  that,  as  before,  it  follows  that  ^  h  M  G  \\Ea  H  ^2!!  iff 
M  4.  A^i  n  ^2  “S'  such  that  (Fi  n  F2);  (Hi, ^2);  (Ai ,  A2)  h  5  :  A. 

Following  standard  terminology  with  call  atomic  terms  whose  head  is  a  free  or  bound  variable  rigid,  while 
terms  whose  head  is  an  existential  variable  is  called  flexible. 

Definition  4.23  (Higher-Order  Pattern  Intersection)  Fix  a  signature  E.  For  simple  (linear)  terms 
M  and  N  without  shared  variables  such  that  F  h  M  :  A  and  F  h  :  A,  define  rhMr\N=>Q:A  by  the 
following  rules: 

- hff 

F  h  (El  ^1)  n  (E2  ^2)  E  ($1  n  ^2) :  o 

no  rule  for  flex-flex  same 

c  G  E  F  h  (El  $1)  n  Ml  =>  A^i  :  Ai  •  ♦  •  F  h  (En  ^n)  n  Mn  ^  A^n  :  An 

- - - - - ClFR^ 

F  h  (E  #)  n  (c  Ml)  =>  c  AT^  :  a 

yET  F  h  (El  $1)  n  Ml  ATi  :  Ai  •  •  -F  h  (En  ^n)  n  Mn  ATn  :  An 

r - — - — - nEE^ 

F  h  (E  #)  n  (2/  Ml)  ^  2/  iV^  a 

/iGFUE  Fj-MiHEi  =>Qi  :  Ai->FhMnnArn=>Qn  :  An 
T\-  hMlnhl^^  h'^’.a 
T,x:A\~  MON  ^Q:B 

- nL 

F  h  Ax^  :  A.  M  n  Ax^ :  A .  E  =>  Ax“ :  A.  Q  :  A  A  E 


DEE 
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where  the  H^s  are  fresh  variables  of  appropriate  typing  and  n  >  0.  We  omit  two  rules  DRF^  and  ORF^ 
which  are  symmetric  to  DFR^  and  HFR'^.  The  rules  HFR^  and  HRF^  have  the  following  proviso:  for  all 
X  e  ^  and  1  <i^j  <  n: 

Vx.$(x)  =  0  ^  Vz .  $i(x)  =  0 
Vx.$(a;)  =  u  ^  Vz .  =  u 

Vx.$(a;)  =  1  -^3i .  #i(x)  =  1  A  Vj,  j  ^  i,^j{x)  —  u 

The  rules  HFR^  and  ORF^  are  subject  to  the  proviso: 

Va;.$(x)  =  0  Vz .  $i(x)  =  0 
Vx.$(x)  =  u  ->\/i .  $i(x)  =  u 
Mx.x  7^  y  A  $(x)  =  1  3z .  $i(x)  =  1  A  Vj,  j  ^  z.$j(x)  =  u 
$(y)  =u\/  ($(?/)  =  1  A  Vz.$i(y)  =  u) 

Finally  define  T\- M  r\  N  :  A=Q  if  Q  =  {Q\T\-Mr[N=^Q:  A}. 

Some  remarks  are  in  order: 

•  In  rule  fiFF  we  can  assume  that  the  same  list  of  variables,  though  with  different  labeling,  is  the 
argument  of  E^F  and  since  simple  terms  are  fully-applied  and  due  to  linearity  we  can  always 
reorder  the  context  to  the  same  list. 

•  Since  patterns  are  linear  and  M  and  N  share  no  pattern  variables,  the  flex-flex  case  arises  only  with 
distinct  variables.  This  also  means  we  do  not  have  to  apply  substitutions  or  perform  the  customary 
occur  s-check. 

•  In  the  flex/rigid  and  rigid /flex  rules,  the  proviso  enforces  the  typing  discipline  since  each  strict  variable 
X  must  be  strict  in  some  premise.  If  instead  y  is  the  projected  variable,  the  modified  condition  on  y 
takes  into  account  that  the  head  of  an  application  constitutes  a  strict  occurrence;  moreover,  since  y  did 
occur,  it  is  set  to  u  in  the  rest  of  the  computation,  as  there  are  no  more  requirements  on  that  variable. 

•  The  symmetric  rules  take  the  place  of  an  explicit  exchange  rule  that  is  problematic  w.r.t.  termination. 

The  following  example  illustrates  how  the  Flex-Rigid  rules,  in  this  case  OFR^,  make  unification  on  simple 
terms  Unitary. 

Example  4.24  Consider  the  unification  problem 

x:A\-E  x^n  c  (F  x^Y  (F'  3^“)^ 

Since  x  is  strict  in  the  LHS,  there  are  two  ways  in  which  $  can  be  ‘split’  leading  to  the  following  sub-problems: 

1.  x:A  V-E'  x^r\  F  x'^’-^H  x^  x:A  h  E"  x"  n  F'  a:“  =»  H' 

2.  x:A  hE'  x’‘n  F  x'^^H  x:A  h  E"  x^  n  F'  =!>  H'  x^ 

Hence  the  result: 

x-.AhEx^r\  c  {F  (F'  a:“)^  =  {c  {H  a:^)^  {H'  i“)\c  {H  {H'  x^)^} 

Note  that,  similarly  to  complementation,  intersection  return  a  solution  with  some  ‘overlapping’  possible; 
again  it  is  possible,  in  a  post-processing  phase  to  make  the  result  exclusive:  for  example  the  above  problem 
can  be  made  explicit  in: 

x:A\-Ex^f\  c  (F  x“)^  (F'  x“)i  = 

{c  {H  x^)!  {H'  x°)\c  {H  {H'  x^f,c{H  x^)^  {H'  x^)^} 
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However,  differently  from  complementation,  we  must  remark  that  the  latter  is  not  the  most  general 
solution  w.r.t.  the  subsumption  ordering  on  terms  based  on  the  (reverse)  partial  information  ordering  on 
labels.  Indeed,  a  member  of  the  intersection,  e.g.  c  {H  is  a  lower  bound  of  both  terms  above, 

i.e. 


c  {H  {H' <  Ex^ 
c  {H  x^y  {H' x°)^  <  c  {H  x'^y  {H' x'^y 

but  it  is  not  the  greatest  upper  bound: 

c  {H  {H'  x°y  <c(H  {H'  x“)^ 


The  following  example  illustrates  the  additional  proviso  on  DFR^: 

Example  4.25  The  unification  problem  y:A  h  {E  y^)  fl  {y  {F  y^Y  (F'  y'^Y)  solution,  whereas 

y:A  h  {E  y^)  D  {y  {F  y^  (F'  y°y)  =  {y  {H  y^y  {H'  y°y}. 

Lemma  4.26  Let  M  be  a  closed  simple  term  such  that  FiiHi;  Aj  h  M  :  A  and  r2;fi2; ^2  \-  M  :  A  ;  then 
Fi;  Hi;  Ai  h  M  :  A  and  r2;  ^2;  A2  h  M  :  A  iff  (Fi  n  F2);  (^1,02);  (Ai,  A2)  h  M  :  A. 


Proof:  (->)  By  induction  on  the  size  of  (Fi  U  F2)  \  (Fi  fl  F2). 

Base  Let  Fi  =  F2,  thus  (Fi  UF2)  \  (Fi  nF2)  =  0.  Then  by  Exclusivity  (Lemma  3.13)  =  ^2  and  Ai  =  A2 

and  the  claim  holds. 


Step  Let  Fl  =  (F, ,a::C'),  where  x  ^  dom(F2).  By  Tightening  (Lemma  4.5)  either  Fj;  (ni,a::C);  Ai  h  M  :  A 


or  F'l ;  rti ;  ( Ai ,  x:C)  \-  M  :  A: 

Subcase:  F^;  (Hi ,  x:C);  Ai  h  M  :  A 

(Fi  nF2);(ni,x:C,n2);(Ai,A2)  h  M  :  A 
(Fl  nF2);(fii,x:C',n2);(Ai,A2)  h  M  :  A 
(FinF2);(ni,n2);(Ai,A2)hM:  A 

Subcase:  Fi;  fii;  (Aij^rC)  \-  M  :  A.  Analogously. 

(^) 

(FinF2);(ni,f]2);(Ai,A2)hM:  A 
(FinF2,n2);ni;(Ai,A2)hM:A 
(Fl  nF2,fi2,  A2);  fii;  Ai  M  :  A 
Fi;ni;Ai  h  M  :  A 
F2;  A2  h  M  :  A 


By  assumption 
By  IH 
X  ^  dom(F2) 
X  E  dom(n2)  by  Lemma  3.13 


By  hypothesis 
By  Loosening^  on  ^2 
By  Loosening^  on  A2 
Since  (Fi  O  F2),  ^2,  A2, Hi,  Ai  =  Fi,  Qi,  Ai 

Analogously 

□ 


We  introduce  two  n-ary  strict  application  rules,  one  which  correspond  to  the  imitation  step  and  the 
other  to  projection,  which  will  be  needed  in  the  proof  of  Theorem  4.33  and  4.34;  in  the  following  we  shorten 
X  E  dom(F)  to  a;  E  F. 


(r,A“);n;Aj  l<i<n^ 

T;n;A\-cMl 

where  F;  0;  •  i-  c  :  Ay  ^  ^  An  B  and 

1.  Vx  €  A .  :  1  <  i  <  n .  X  e  Aj . 

2.  Vi :  1  <  i  <  n .  AV  U  AJ  =  A. 
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{T,Af);n;Al\-Mi:Ai  l<i<n 
- 

where  Fq^  Aq  i”  y  •  Ai  .  -4  An  — >  B  and 

1.  VxE  A,x  ^  y  .3i  :  I  <  i  <  n  .X  E  A]. 

2.  Vi :  1  <  z  <  n .  A^  U  A,^  =  A. 

3.  Ao  =  {y}  and  Vi  :  1  <  i  <  n.  y  G  Af, 

Note  that  in  the  latter  rule  we  consider  only  the  case  where  y  occurs  strictly,  that  is  Aq  =  {y};  indeed,  if 
y  E  To,  then  the  rule  is  just  a  renaming  of  the  previous  rule  -4  E^. 

We  proceed  to  show  that  both  are  derivable  and  invertible  rules. 

Lemma  4.27  Let  F;  •  h  c  :  Ai  A-  , . .  *4  -4  B;  if  (F,A^);n;A-  Mi  :  Ai  for  1  <  i  <  i,  then 

(F,  A^);  Tt;  A^  c  Ml . . .  Mj  :  Aj+i  A  ...  An  A  where 

1.  Vx  G  A^.Bi  :  1  <  i  <  j  .  X  E  Aj . 

1\  Vx  G  A^.-i3i  :  1  <  i  <  j  .X  G  A|. 

Vi :  1  <  i  <  j  .  A^  U  AJ  =  A^  U  A^ 


Proof:  By  induction  on  j, 

j  =  0  Set  A^  =  •;  then  by  hypothesis  and  Weakening^  (F,  A^);  Q;  •  h  c  :  Ai 

j  +  1  (F,A-);n;AlPMi:Ai,l<i<i 

(F,  A^);^;  A^  h  c  . .  M]  :  A,-+i  4  ...  4  An  4  R 
(F,  A^_j_2);  fl;  Aj-^^  ^  :  Aj-j-i 

(F,  A“ );  f];  A^  h  c  Ml . . .  :  Aj+2  An  B 

such  that: 


.  .  .  — >  An  ”4  B. 

By  assumption 
By  IH 
By  hypothesis 
By  rule  4  E 


(a)  X  G  A^j.  X  G  Aj_j.i  or  X  G  A^. 

(b)  X  G  A!^  44  X  G  and  x  G  A“. 

We  now  show  that  the  last  step  satisfy  the  conditions  in  the  claim. 

1.  X  G  A+ 

X  G  Aj_^i  U  A^ 

Subcase:  x  E  Aj_|.i 

3i:l  <i<j  +  l.xGAj 
Subcase:  x  E  A^ 

X  G  A  J ,  for  some  1  <  i  <  i 
3i:l  <  i  <  i  +  1  .x  G  A| 

1\  xeai 
xEA^ 

-n3i:l  <i<j>xEA] 

X  E  Av^i 

-i3i;l  <i<j  +  l.a:€A| 


By  assumption 
By  (a) 


Byffl 
A  fortiori 

By  hypothesis 
By  (b) 
By  IH 
By  (b) 

By  disjointness  of  contexts 
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2.  VLl  <  i  <  j  .  AJ  U  Af  =  A*  U  A"  By  IH 

Aj^i  U  A“^i  =  A^  U  A“  By  hypothesis 

Vi:l  <  t  <  j  +  1 .  A  ■  U  A“  =  A^  U  A"  By  (a)  and  (b)  and  set  manipulations 

□ 

Lemma  4.28  Let  F;  fi;  •  b  c  :  Ai  A  . . .  -4  A„  B;  i/  (F,  A");  Q;  A^  h  c  Ml . . .  Mj  :  Aj+i  -4  ...  -4  A„  -4 
B,  then  for  every  I  <i  <  j  there  are  AJ*,  Aj  such  that  (F,  A“);  U;  Aj  h  Mi  :  Aj  and 

1.  Va;  €  AL3i  ;  1  <  i  <  j.x  e  A  - . 

1’.  Vx  e  A“.-i3?  :  1  <i  <  j  .X  G  Aj. 

2.  Vz :  1  <  i  <  j  .  AV  U  A?  =  A"  U  AU 
Proof:  By  induction  on  j. 

j  =  0  Set  A^  =  ■;  then  by  hypothesis  and  Weakening"  (F,  A“);  fl;  •  h  c  :  Ai  -4  . . .  -4  A„  A  B. 

j  +  1  (F,  A");  H;  A'  h  c  M/  . . .  Mj+j  :  Aj+2  -4  . . .  -4  A„  4  B  By  assumption 

(F,  A“ );  n',A\.\- c  Ml ...  Mj  :  Aj+i  -4  ...  4  A„  4  B  and 

(F,  A"^j );  0;  Aj^j  h  Mj+i  :  Aj+i  By  inversion  on  rule  4  E  and 

{x  e  A]j.  44  X  €  Aj+j  V  X  €  A*)  and  (x  €  A"  <4  x  €  A"^.j  A  x  €  A") 

(F,  Af );  0;  A]  \- M,  :  At  for  1  <  i  <  j  By  IH 

since  the  conditions  on  the  claim  are  satisfied  as  in  the  above  Lemma  4.27. 

□ 


Corollary  4.29  Rule  is  derivable  and  invertible. 

Proof:  For  derivability,  use  Lemma  4.27  with  j  =  n,  =  ♦,  A^  =  A;  conditions  1.  and  2.  are  immediately 
satisfied.  Ditto  w.r.t.  invertibility,  using  Lemma  4.28.  □ 

Lemma  4.30  Let  Fq;  Ct]y: . . .  y  :  Ai  ^  An  ^  B .  //  (L,  AJ^);  D;  A ■  h  :  Ai  for  I  <  i  <  j,  then 

(r,A^);D;Ai  hy  ...Mj  :  Aj.^i  4  . . .  4  4  5  and 

1.  Va:  6  ALBz  :  1  <  z  <  j  .x  G  A  - . 

1\  Vx  G  A^,->3z  :  1  <  z  <  j’  .  X  G  a  • . 

2.  Vz  :  1  <  z  <  j  .  AV  U  AJ  =  A^  U  A^ 

Proof:  By  induction  on  j. 

j  =:  0  Let  Ai  =  {y}  and  weaken  To  to  F,  A^;  by  hypothesis  (F,  A^);  Q;  A^  h  yi4i  4  . . .  4  yl„  4  B. 
j  H- 1  Completely  analogous  to  the  same  case  in  Lemma  4.27. 

□ 

Lemma  4.31  Let  Fo;D;y:, . .  h  y  :  Ai  4  . . .  4  4  J5;  if  (F,  A“);fl;  A^  h  c  Ml  . .  .Mj  :  Aj^-i  4  ...  4 

An  4  B,  then  for  every  1  <  z  <  j  there  are  A^,  Aj  such  that  (F,  AJ^);  ft;  A-  h  Mi  :  Ai  and 

1.  Vx  G  AL3z  :  1  <  z  <  j  .  X  G  A  - . 

1\  VxG  AL-i3z:  1<z<  j.xG  A^ 

2.  Vz  :  1  <  z  <  j  .  AJ*  U  A]  =  A^  U  A^ 


Proof:  By  induction  on  j  similarly  to  Lemma  4.28. 


□ 
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Corollary  4.32  Rule  is  derivable  and  invertible. 

Proof:  As  in  Corollary  4.29,  using  Lemma  4.30  and  4.31.  □ 


We  are  now  ready  to  address  soundness  and  completeness  of  intersection: 

Theorem  4.33  For  any  simple  linear  term  Ni  and  N2  without  shared  variables  such  that  ^  \~  Ni  :  A  and 
^  N2  :  A,  if  ^  M  e  IIA'ill  :  A  and  M  £  ||iV2||  :  A,  then  there  is  N  such  that  ^  \-  Nif)  N2  =>  N  :  A 
and^\~  M  e\\N\\:A. 

Proof:  By  simultaneous  induction  on  the  structure  of  Vi  ^  M  £  ||-Ni||  :  A  and  V2  ^  M  £  11A^2||  ’  A. 
Case:  Vi,'D2  end  in  grFlx;  by  Remark  4.22  and  the  left-to-right  direction  of  Lemma  4.26. 


Case:  Vi  ends  in  grFlx  and  I>2  ends  in  grApp:  there  are  two  cases  depending  whether  the  head  of  N2  is  a 
constant  or  a  bound  variable: 


Imit 


QU\ 

M  =  c_Mi  and  ^  AU  £  \\Q^\\  for  all  1  <  z  <  n 
Ml  €  \\E  $11  _ 

c  Ml  i  i  $,  where  t  =  A$  .  c 
A  \-  c  t\  \  B 

(r,  A^);  H;  A}  h  :  Ai  For  some  AJ^,  A“  satisfying 

V\  ^  Mi  £  \\Ei  ^i\\  By  rule  grFlx  choosing 

Vi  V-  Ei  ^i^Qi  ^  Ni  for  \  <  i  <n  and 

$  h  Mi  €  lliVill  _  _  By  IH  on 

V  ::  ^\-E  $  n  ^1,  c 
$hcMi  e  ||c  A^1|| 


By  hypothesis 
By  sub-derivation 
By  hypothesis 
By  sub- derivation 
For  F;  H;  A  h  $  oA: 
1  and  2,  by  inversion  on  rule  E^f 
(Corollary  4.29) 
$i  such  that  (F,  A-^);!);  A]  h  $i  ok 

V\ ,  Df  since  the  proviso  is  satisfied 
By  rule  r\FR^ 
By  rule  grApp 


Prof  Proceed  as  above,  but  using  inversion  on  rule  -4  i.e.  Corollary  4.32. 


Case:  V2  ends  in  grFlx  and  Vi  ends  in  grApp:  symmetrical  to  the  above. 
Case:  'Di,X>2  end  in  grLam: 


\x^:A.M  £\\Xx^:A.Ni\\ 

V[  ::  $,a::Ah  M  €  ||A^i|l 
Ax“:A.M€  \\Xx^:A.N2\\ 

Vi^  ::  ^,x:A\-  M  £\\N2\\ 

V'  ::  ^,x:A  Ni  H  N2  ^  N  and  h  M  €  ||iVl| 

$  h  Ax^  :  A.  Ni  n  Aa:^  :A.N2=>  Xx^  :  A.  N 
$hAa;^:A.M€||Ax^:A.A^l| 


By  hypothesis 
By  sub-derivation 
By  hypothesis 
By  sub- derivation 
By  IH  on 

By  rule 
By  rule 


Case:  Pi,X>2  end  in  grApp:  a  straightforward  appeal  to  the  inductive  hypothesis  as  in  the  above  case. 

□ 

For  the  other  direction,  we  are  going  to  prove  a  stronger  result: 

Theorem  4.34  For  any  simple  linear  term  Ni  and  N2  without  shared  variables  such  that  $  h  iVi  :  A  and 
$  h  N2  :  A,  for  every  N  such  that  Ni  n  N2  N  if  ^  \-  M  £  Ill’ll  :  A,  then  $  h  M  €  |lA^i||  *  A  and 
$hMG||iV2||:A  . 


Proof:  By  induction  on  the  structure  of  D  $  h  A^i  D  iV2  =>  AT  and  inversion  on  X>'  $  h  M  G  ||iV||  :  A. 

Case:  V  ends  in  flFF;  by  Remark  4.22  and  the  right-to-left  direction  of  Lemma  4.26, 
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Case:  V  ends  in  r\FR. 


V  ::  'i! }-  E  ^  n  c  Q\  ^  c 

'Di  ^  E  Qi  Ni^l  <  i  <  n 

$  K  M<  €  IliVill 

4-  h  Mi  G  llQill  and  4-  F  M,  €  ||Ei  #i|| 


By  hypothesis 
By  sub-derivation 
By  hypothesis 
By  inversion 
By  IH  on  Vi 


Milt  where  t  =  A^i .  U  such  that  Df);  Q;  A  •  h  :  Ai  By  rule  grFlx  for  A  fi;  A-  h 
F;  n;  A  h  c  :  a  By  rule  -4  (Lemma  4.27),  since  the  proviso  satisfies  1, 2 

^  h  c  €  ||£^  ^11  By  rule  grFlx 

^  h  c  £  \\c  Qnll  By  rule  grApp 


Case:  V  ends  in  f)FR^.  Proceed  as  above,  but  using  Lemma  4.30. 
Case:  V  ends  in  flL;  by  IH  as  in  Theorem  4.33 
Case:  V  ends  in  DRR]  ditto. 


□ 

Corollary  4.35  (Adequacy  of  Pattern  Intersection)  Fix  a  signature  E.  For  every  simple  (linear)  term 
Ni  and  N2  without  shared  variables  such  that  T  Ni  :  A  and  T  \-  N2  :  A,  for  every  M ,  T  \-  M  £  ||A^i||  :  A 
andT\-  M  £  HiVslI  :AiffrhM£\\Nin  AsH  :  A. 

Proof:  Prom  Theorem  4.33  and  4.34.  □ 


4.4  The  Algebra  of  Strict  Terms 

An  interesting  and  natural  question  is  wondering  whether  complementation  is  involutive.  The  answer  is 
of  course  positive,  since  the  latter  is  a  boolean  property  and  the  complement  operation  has  been  shown 
to  satisfy  “tertium  non  datur”  and  the  principle  of  non-contradiction.  Rather  than  proving  involution  in 
isolation,  we  will  show  that  every  other  boolean  property  is  satisfied.  As  the  complement  of  a  term  is  possibly 
a  finite  set  of  terms  we  need  to  extend  the  intersection  and  complement  operations  to  finite  sets  of  terms. 
For  the  sake  of  readability,  we  shall  define  this  the  empty  context.  It  is  clear,  although  cumbersome,  how  to 
generalize  it.  We  also  drop  the  type  information  and  overload  the  singleton  terms  notation. 

Definition  4.36  If  M  and  Af  are  finite  sets  of  (linear)  simple  terms  of  type  A,  define: 

Mr\J\f  =  {Q\QeMnN,M  eM,N£Af} 

Not(A4)  =  Pi  Not(M) 

MeM 

Those  operations  on  set  of  terms  satisfy  the  same  properties  that  ‘singleton’  intersection  and  comple¬ 
mentation  do. 

Corollary  4.37  (Adequacy  of  Set  Intersection)  //A/i,A/2  are  finite  sets  of  (linear)  simple  terms  of  type 
A,  thenTh-  M  £  ||A/iil  :  A  and  F  h  M  €  ||A4||  lAiffTh-  M  £  ||A4nA4||  :  A. 

Proof:  F  h  M  €  ||A/i||  •  A  and  F  h  M  G  IIA2II  •  A  iff  there  is  Ni  £  Mi  and  N2  E  M2  such  that 
F  h  M  E  lITVill  :  A  and  F  h  M  E  ||A^2||  :  A  iff,  by  Corollary  4.35,  F  h  M  G  ||7Vi  H  A2II  :  A  iff,  by  definition, 
FhMG  IlMnA^II  :  A.  □ 

Corollary  4.38  (Set  Partition  Lemma)  Let  M  be  a  finite  set  of  (linear)  simple  terms  of  type  A: 

1,  (Disjointness)  It  is  not  the  case  that  F  h  M  G  \\M\\  :  A  and  F  h  M  G  ||Not(j\/')||  :  A. 


ok 
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2.  (Exhaustivity)  F  h  M  G  \\Af\\  :  A  or  F  h  M  G  l|Not(A/*)||  :  A. 

Proof: 

1.  Assume  F  h  M  G  \\Af\\  :  A  and  F  h  M  G  ||Not(A/’)||  :  A,  By  rule  gr^,  F  h  M  G  ||A^||  :  A,  for  some 
N  £  Af.  By  definition,  F  h  M  G  ||  CiNeAf  Not(iV)||  :  A;  by  (repeated  application  of)  Corollary  4.35 
F  h  M  G  ||Not(iV)||  :  A,  for  every  N  £  Af,  impossible  by  the  Partition  Lemma. 

2.  Similarly  to  the  above. 

□ 

It  is  therefore  possible  to  organize  the  set  of  finite  sets  of  simple  terms  over  a  given  signature,  call  it 
7f  in  a  boolean  algebra  under  set  union,  patterns  intersection  and  complementation,  by  taking  equality  as 
extensional  identity  (on  sets  of  ground  terms),  that  is,  in  symbols: 

Afi-Af2  iff  ||A/i||  =  llA4|| 

Theorem  4.39  Consider  the  algebra  of  finite  sets  of  simple  terms  {Tfj  0,  U,  fl.  Not)  under  set  union,  pattern 
intersection  and  complementation.  Then  the  following  holds: 

1.  AAr\  Ad  ^  A4. 

2.  AAr\Af  •:^Afr\Ad. 

3.  Mn(jV'UP)  -  (A4nA/')u(A4np). 

I  Mn(A/'np)  -  (A4nA/')np. 

5.  Not(Not(A4))  -  AA. 

6.  Not(7»  0. 

7.  Not(0) 

Proof:  Prom  Corollary  4.37  and  4.38  and  the  fact  that  U  is  set-theoretic.  □ 

Corollary  4.40  The  algebra  (7f,  0,  U,  fl.  Not)  of  finite  sets  of  simple  (linear)  terms  is  boolean. 

Proof:  Theorem  4.39  confirms  that  the  above  operators  satisfy  the  boolean  algebra  axioms.  □ 

Corollary  4,40  guarantees  that  any  other  boolean  operation  is  definable:  indeed  complementation  and 
intersection  alone  allows  to  define  the  relative  complement  operation: 

Definition  4.41  Given  Ad  and  Af  sets  of  simple  terms  of  type  A: 

M-M  =  A1n(Not(Ar)) 

The  adequacy  of  this  encoding  follows  immediately  from  the  Partition  Lemma  and  soundness  and  com¬ 
pleteness  of  intersection. 

Corollary  4.42  F  h  M  G  ||A4||  -  ||A^||  iffT\-M  £  ||A<  -  ATH  . 

Proof:  F  h  M  G  \\M\\  —  ||A/'||  iff  F  h  M  G  \\A4\\  and  F  h  M  ^  HATH  for  every  N  £  Af  iS  (Corollary  4.38) 
F  h  M  G  |1A4||  and  F  h  M  G  |lNot(A/’)||  iff  (Corollary  4.35)  F  b  M  G  \\A4.  fl  (Not(A/"))||  iff  by  definition 
FhMG  IIM-ATII.  □ 
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It  is  notable  that  the  U  operator  must  be  set-theoretic  union  rather  than  anti-unification  or  generalization, 
as  traditional  in  lattice-theoretic  investigations  of  the  algebra  of  terms  [Plo71].  The  problem  is  the  intrinsic 
classical  nature  of  complementation  which  is  not  compatible  with  the  very  irregular  structure  of  the  lattice 
of  terms  where  anti-unification  is  interpreted  as  the  lowest  upper  bound.  Indeed,  De  Morgan’s  rules  would 
fail,  namely,  denoting  anti-unification  with  ‘V': 

Not(s(0)  V  s{s{0)))  =  Not(s(Y))  =  0  ^  {0,  s(s(s(X)))}  =  Not(s(0))  fl  Not(5(s(0))) 

We  end  this  chapter  with  a  preview  of  how  term  complement  will  be  used  as  a  building  block  of  the 
clause  complement  algorithm. 

Example  4.43  We  can  combine  Example  2.6  and  2.8: 

Not{(app  {lam  {\x^  \cjp.  E  x^))  F)Aam{Xx‘^:exp.app  {E  x^)  x)}  = 

Not{app  {lam  {Xx^^  :cxp.  E  x^))  F)  Pi 
Not(/am(Ax“  :ex/;.  a/;/;  {E  x^)  x))  = 

{lam  {Xx^  :exp.  {H  x“)), 
app  {app  H  H') 

n 

{lam{Xx^  :€xp.  app  {H  x^)  {H'  x^)), 
lam{Xx^  :exp.  app  {H  x^)  {app  {H'  x“)  (i/''x^))), 
lam{Xx^  :exp.  app  {H  x^)  {lam{Xy^  :exp.  H'  x^  y^))), 
lam{Xx^  :exp.  lam{Xy^  :exp.  H  x^  y'^)), 

/am(Ax^  :exp.  x), 
app  H  H'}  = 

{lam{Xx^  :exp.  app  {H  x^)  {H^  a:^)), 

Zam(Ax^  :exp.  app  {H  x^)  {app  {H^  x^)  {H”  x^))), 
lam{Xx^  :exp.app  {H  x“)  {lam{Xy'^  :exp.  H'  x’^  y^))) 
lam{Xx^  :exp.  lam{Xy^  :exp.  H'  x^  y^)), 
lam{Xx^  :exp.  x), 
app  {app  H  H')  W'} 


Thus  given  the  ‘program^: 


betarx  :  isredx{app  {lam  {Xx^  :exp.  E  x^))  F). 
etarx  :  zsredx(/aTn(Ax^  :exp.  app  {E  x®)  x)). 

Computing  the  complement  of  each  head  as  in  Example  4  4^  yields  the  complementary  program: 

nbl  :  nonJsredx{lam{Xx^  :exp.app  {H  x^)  {H'  x^))). 

nb2  :  nonJsredx{lam{Xx^:exp.app  {H  x“)  (app  {H'  x^)  {H”  x^)))). 

n63  :  nonJ5redx(/am(Ax^  :exp,  app  {H  x“)  {lam{Xy^  :exp.  x^  2/^))))- 

nbi  :  nonJsredx{lam{Xx^:exp.lam{Xy^:exp.H  x^  2/^)))- 

nbr  :  nonjisredx{lam{Xx^  :exp.x)). 

nb6  :  nonJsredx{app  {app  H  H*)  H”  ). 

4.5  Summary 

In  this  chapter  we  have  been  concerned  with  the  relative  complement  problem  in  a  setting  where  patterns 
may  contain  binding  operators,  so-called  higher- order  patterns.  Higher-order  patterns  inherit  many  pleasant 
properties  from  the  first-order  case,  even  for  complex  type  theories.  Unfortunately,  the  complement  operation 
does  not  generalize  as  smoothly.  The  complement  of  a  partially  applied  higher-order  pattern  cannot  be 
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described  by  a  pattern,  or  even  a  by  finite  set  of  patterns.  The  formulation  of  the  problem  suggests  that 
we  should  consider  a  A-calculus  with  an  internal  notion  of  strictness  so  that  we  can  directly  express  that  a 
term  must  depend  on  a  given  variable.  For  reasons  of  symmetry  and  elegance  we  have  also  added  the  dual 
concept  of  invariance  expressing  that  a  given  term  does  not  depend  on  a  given  variable.  We  have  developed 
such  a  calculus,  so  that  we  can  show  that  for  a  suitable  embedding  in  our  calculus  simply- typed  patterns  is 
such  that  the  complement  of  a  linear  pattern  is  a  finite  set  of  linear  patterns  and  unification  of  two  patterns 
is  decidable  and  leads  to  a  finite  set  of  most  general  unifiers.  Consequently,  finite  sets  of  linear  patterns  in 
the  strict  A-calculus  are  closed  under  complement  and  unification.  If  we  think  of  finite  sets  of  linear  patterns 
as  representing  the  set  of  all  their  ground  instances,  then  they  form  a  boolean  algebra  under  simple  union, 
intersection  (implemented  via  unification)  and  the  complement  operation. 


Chapter  5 


Elimination  of  Negation  in  Clauses 


The  transformational  approach  to  negation  in  normal  programs  has  a  somewhat  long  history,  see  [Nai86]  for 
a  survey  of  the  early  80’s.  The  idea  was  to  implement  negation  using  inequalities,  so  that  the  complement 
of  any  predicate  occurring  negatively  in  a  program  is  synthesized  to  obtain  an  equivalent  definite  program. 
This  was  first  proposed  in  [ST84]. 

5.1  The  Completion 

At  the  risk  of  being  trivial,  let  us  start  by  asking  naively  what  the  complement  of  a  program  should  be;  if 
we  see  the  latter  as  a  set  of  (possibly  mutually  recursive)  predicate  definitions,  its  negation  would  be  the 
set  of  the  negation  of  those  definitions.  Thus,  let  us  concentrate  on  a  program  definition  as  our  target  and 
consider  the  simplest  case,  i.e.  that  of  a  single  clause  ^(0)  on  the  signature  of  numerals.  Our  first  instinct 
would  be  to  use  the  Not  algorithm  and  by  computing  Not(O)  =  s{X)  assert  yX:nat,  -ig(s(X));  this  is  indeed 
the  right  thing  to  do,  but  we  need  to  justify  it  formally.  We  can  look  at  the  definition  q(0)  as  a  degenerate 
case  (that  is  with  trivial  condition)  of  inductive  definition;  an  equivalent  formulation  would  be: 

\fX:nat.q{X)  ^  X  =  0. 

for  an  object-logic  equality  symbol  ‘=’,  which  simply  expresses  the  condition  X  =  0  for  atoms  to  be  in 
the  inductive  definition  of  q.  In  this  Chapter  we  use  just  ‘=’.  The  next  step  is  to  enforce  the  minimality 
condition  by  saying  that  the  latter  is  the  only  way  to  belong  to  the  definition.  One  way  to  achieve  that  is 
by  exchanging  the  ^  connective  into  a  biconditional 

^X:nat.q{X)  ^  X  =  0. 

This  is  in  a  nutshell  Clark’s  very  fortunate  idea  of  the  completion  of  a  program  [Cla78].  What  is  left 
is  describing  how  to  interpret  the  equality  relation;  this  is  accomplished  by  the  so-called  Clark’s  equality 
theory,  that  is  the  axioms  of  free  equality:  namely,  the  usual  equality  axioms  including  congruence,  plus  the 
axioms  for  finite  trees.  Indeed,  this  theory  is  the  axiomatic  and  proof-theoretic  rendering  of  the  unification 
algorithm,  for  a  proof  see  for  example  Stark’s  thesis  [Sta92].  For  instance,  the  following  is  free  equality  over 
numerals: 

(Dec)  :  yx,y  :  s(a:)  =  s{y)  x  =  y 

{Clh)  :  Vx  :  0  #  s{x) 

{Ock)  :  Vx  :  X  ^  t[x]  if  x  occurs  properly  in  t[x] 

{DC A)  :  Vx  :  X  =  0  V  :  X  =  s{y) 

The  last  axiom  is  the  Domain  Closure  Axiom  [MMP88],  which  is  required  to  give  a  complete  axiomatization 
of  finite  trees  over  finite  signatures.  Since  we  will  not  consider  unification  so  far,  we  will  keep  this  relation 
uninterpreted;  thus  those  axioms  do  not  play  any  role,  which  is  handy,  as  it  allows  us  to  dispense  with  the 
issue  of  the  compatibility  of  DCA  with  dynamic  extensions  on  the  signature. 
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Vx . even{x)  ■<4x  =  0V3j/.x  =  s{s{y))  A even{y) 

Vx .  -^even{x)  ^  -'(x  =  OwBy  .x  —  s{s{y))  A  even{y)) 

'^nnf 

Vx .  ~^even{x)  x  7^  0  A  (Vy .  x  7^  5(s(y))  V  -^even{y)) 

Vx  .  -^even{x)  Oxt^OaV^.xt^  s{s{y))  V  (3y  .  x  =  5(s(y))  A  ^even{y)) 

'^dnf 

Vx .  -ie?;en(x)  <->  (x  7^  0  A  Vy .  x  7^  s{s{y)))  V  (x  7^  0  A  3y .  x  =  5(s(y))  A  -ieven(y)) 

'^disuni/i/(x9tOAV3;:a::5^s(s(i/))) 

Vx .  ~iet;en(x)  ^  x  =  5(0)  V  (x  7^  0  A  3y  .x  =  s{s{y))  A  -'et;en(y)) 

‘^disunify{x:^0A3y:x=s{${y))) 

Vx .  ~ieT;en(x)  ^  x  =  5(0)  V  (3y .  x  =  s{s{y))  A  -iet;en(y)) 

'^prettyp 

odd(5(0)), 

0dd(5(5(y)))  ^  odd(y). 

Figure  5.1:  Synthesis  of  the  predicate  odd 


Of  course,  definitions  are  usually  more  interesting  than  a  simple  clause,  so  let  us  step  to  next  simplest 
example,  even  numbers: 

euen(O). 

even{${s{Y)))  <-  even{Y). 

To  turn  this  code  into  a  minimal  inductive  definition,  we  need  to  normalize  the  conjunction  of  clauses, 
building  what  is  known  in  the  logic  programming  jargon  as  the  completed  definition  of  a  predicate,  a  process 
described  for  example  in  [AB94].  The  net  result  is  the  axiom: 

Vx.euen(x)  x  =  0  V  3y.x  =  55(y)  A  even{y) 

One  way  to  obtain  the  complement  definition,  that  is  odd,  would  be  to  reason  classically  on  the  completed 
program  by  taking  the  contrapositive  of  the  completion.  Let  me  offer  the  following  rational  reconstruction. 
We  may  use  rewrite  rules  to  achieve  conversion  into  negation  normal  form  (nnf)  and  into  disjunctive  normal 
form  (dnf),  plus  some  more  massage  to  preserve  the  original  positive  bindings  in  clauses.  Once  this  is  done, 
we  need  a  way  to  solve  the  possibly  universally  quantified  dis-equaiities  we  have  created.  A  call  of  the 
disunification  algorithm  described  in  Section  2.2  (disunif y(- . .))  is  enough  to  obtain  a  solved  form,  from 
which  we  can  recover  the  intended  negated  program.  This  is  best  explained  in  Figure  5.1,  which  uses  the 
sub  computation  ofVy  :  2;  ^  0  /\  z  ^  5(5  (y)),  detailed  in  Example  2.2. 

Following  this  drift,  an  extensive  project  started  in  Pisa  under  the  name  of  intensional  negation  [BMPT87, 
MMP88,  BMPT90,  ABT90,  MPRT90b,  FBM93].  In  particular  [BMPT90]  computes  the  set-theoretic  com¬ 
plement  of  the  terms  in  the  negative  predicate  compiling  away  the  inequalities.  The  authors  restrict  to  a 
class  of  left-linear  non-stratified  program  called  flat^  where  all  predicates  are  defined  by  a  single  clause  (and 
hence  we  have  no  disjunction  in  the  completion)  and  such  that  if  a  head  contains  non- variable  terms,  the 
body  must  be  a  single  literal.  With  some  painful  source-to-source  transformations,  programs  can  be  turned 
in  and  out  of  this  format.  Thanks  to  this,  the  transformation  of  the  completion  delineated  above  yields  only 
disequation  of  the  form  x  7^  t,  which  the  Not  algorithm  can  solve. 

If  we  discard  for  the  moment  the  problematic  issue  of  local  variables,  i.e.  variables  that  appear  in  the 
body  but  not  in  the  head  of  a  clause  (as  they  turn  out  to  become  universally  quantified  in  an  extensional 
sense  during  the  completion  transformation),  this  seems  at  first  sight  fairly  convincing.  On  the  other  hand, 
managing  control  of  disunification  and  rewrite  rules  requires  some  ingenuity  as  the  following  example  shows: 
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Example  5.1  Consider  the  usual  program  for  membership  in  lists: 

member{X ,  X,XS). 

member\x ,YY S)  <r-  member {X,YS). 


Its  completion  is 


Vz,  zs{member{z,  zs)  44  3a:,  xs{zs  =  x.xs  A  z  ~  x)  y 

3x,  y,  ys{zs  =  y.ys  A  z  —  x  A  member {x,  V^))) 

The  synthesis  of  its  negation  is  depicted  in  Figure  5.2.  Not  only  disunification  is  more  complex,  as  there 
are  a  few  choices  of  variables  where  the  Explosion  rule  can  be  applied,  but  propositional  transformations  are 
difficult  to  direct  as  well 

Working  with  flat  programs  is  not  a  real  alternative,  since  some  form  of  partial  evaluation  is  needed 
to  recover  some  structure  in  the  target  program.  In  fact,  the  more  mature  version  presented  in  [FBM93] 
embraces  the  constraint  logic  programming  approach.  We  will  instead  give  a  completely  deterministic  algo¬ 
rithm  to  compute  the  negation  of  programs.  This  is  based  on  solving  the  relative  complement  problem  by 
pairing  term  complement  with  unification  and  is  proven  correct  by  Corollary  4.40;  that  is,  we  do  not  need 
full  disunification  as  we  can  solve,  for  example  x  ^  0  AMy  :  x  ^  s{s{y))  by  computing  Not(O)  fl Not(s(s(T)). 

There  is  one  further,  more  basic  difficulty  with  the  completion-based  approaches;  they  use  transformations 
that  are  intrinsically  classical  and  turn  out  to  preserve  the  operational  semantics,  only  because  in  Horn  logic 
classical  and  intuitionistic  provability  coincide.  We  discuss  this  issue  further  in  Section  5.3.  We  will  instead 
lift  the  boolean  operations  we  have  introduced  on  (simple)  terms  to  clauses  (programs)  and  we  shall  prove 
that  they  still  satisfies  the  usual  boolean  rules;  in  particular  we  will  verify  that  clause  complementation 
fulfills  exclusivity  and  exhaustivity.  This  high-level  ‘boolean’  language  will  eventually  be  compiled  into  a 
version  of  HHF  that  is  amenable  of  a  complete  uniform  proof  search  strategy.  We  offer  an  informal  discussion 
next  (Section  5.2). 

5.2  Introduction  to  HHF  Complementation 

Consider  the  following  judgment  to  check  whether  a  lambda  terms  is  linear^,  if  every  functional  sub-term 
uses  each  of  its  arguments  exactly  once: 


- u 

X  linear 


Ax .  e  linear  in  x  ^  linear 

- linlam^''^ 

Ax .  e  linear 

ei  linear  e2  linear 

- linapp 

(ei  62)  linear 


Ax .  X  linear  in  x 
Ax .  ei  linear  in  x 
Ax .  (ei  62)  linear  in  x 


linxx 


linxlm^ 


IxThxapp'^^ 


Ax .  e  linear  in  x 
Ax  .Ay  .e  linear  in  x 

Ax  .  62  linear  in  x 
Ax  .  (ei  €2)  linear  in  x 


linxapp2 


^Do  not  confuse  this  notion  with  the  one  which  refers  to  a  term  not  having  repeated  occurrences  of  the  same  existential 
variable. 
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comp{member) 

Vz,  zs{->member{z,  zs) 
^lift 

Vz,  z5(-'mem6er(z,  zs)  ^ 


'^dnf 

Vz,  zs  {-^member  {z,  zs) 


(dl)  I - >E+R{zs=nil){l.l) 

h — >ci{Ty 


Vx,  xs(zs  ^  X.X5  V  z  ^  x)  A 

Vx, y, y5(zs  7^  y.ys \l  z  ^  x\J  -imem6er(x, ys)) 

Vx,  X5(zs  7^  x.xs  V  z  7^  x)  A 

Vx,  y,  ys(zs  7^  y  .ys  \J  zi^x)\J 

3x,  y,  y5  .  (zs  =  y.ys  V  z  =  x)  A  -imem6er(x,  ys) 

(dl)  Vx,  y,  xs,  ys .  (zs  7^  x.xs  V  z  7^  x)  A  (zs  7^  y.ys  V  z  7^  x) 

(d2)  Vx,  xs,  (zs  7^  x.xs  V  z  7^  x)  A 

3x,  y,  ys  .  (zs  =  y.ys  A  z  =  x)  A  -imem6er(x,  ys) 

(dl.l)  V(m7  7^  x.xs  V  z  7^  x)  A  (mV  7^  y.ys  V  z  7^  x)  A  zs  = 


zs  =  nil 


'^prettyp 

(dl)  I - )'£;+i?(z5=i/;.ii;5)(1.2) 

I _ V  * 

UE2(x,y,x$,ys) 

'^prettyp 

{d2) 

‘^disunify{VXyXs{zs^x.xs\/z^x)) 

I  \  * 

^UE2{x,y,xs,ys) 

*  ^norm 
'^prettyp 


nonmember  (X,  nil) 

(dl.2)  3w,ws'\/x,y,xs,ys.{w.ws  7^  x.xs  V  z  7^  x)  A 
{w.ws  7^  y.ys  V  z  7^  x)  A  zs  =  u;.it;s 

3w{w  7^  z) 

0 

X  7^  y  A  3y,  ys .  zs  =  y.ys  Az  =  x 
3y,ys(zs  =  y.ys  Az  7^  x) 

nonmember {X jY.Y S)  <-  X  ^  Y^ nonmember {X^YS), 


Figure  5.2:  Synthesis  of  the  nonmember  predicate 
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Intuitively,  we  check  for  linearity  of  a  function  making  sure  that  the  it  is  linear  in  its  first  argument 
(judgment  'Kx .  e  linear  in  x’)  and  then  recurring  on  the  rest  of  the  expression.  Note  the  rule 
is  hypothetical  in  u  and  parametric  in  x;  rule  linxlm^  is  instead  only  parametric  in  x. 

Frameworks  based  on  HHF  provide  an  ideal  syntax  to  represent  these  judgments;  namely,  via  the  usual 
encoding  introduced  in  Example  2.6: 

Example  5.2 


linlam  :  linear  {lam  Xx  .  E  x) 

-f-  /mx(Ax .  E  x) 

4-  {\fx : exp.  linear (x)  linear{E  x)). 
linapp  ;  linear {app  Ei  E2) 
linear{Ei) 
i-  linear{E2)^ 


linxx 

linxapl 

linxap2 

linxlm 


linx{Xx .  x). 

linx{Xx.app  {Ei  x)  E2) 

^  linx{Xx .  El  x). 
linx{Xx .  app  El  {E2  x)) 
linx{Xx  .E2  x). 
linx{Xx  .  lam{Xy  .  E  x  y)) 

<-  {yy  :exp.  linx{Xx  .  E  x  y)). 


The  judgment  and  its  implementation  is  clearly  a  decision  procedure.  It  does  make  sense  to  ask  ourselves 
what  is  its  complement.  An  expression  is  not  linear  if  there  is  some  function  which  either  does  not  use  its 
argument  or  uses  it  more  than  once.  We  first  observe  that,  since  linear  is  a  relation  defined  via  exhaustive 
and  exclusive  patterns  term  complementation  does  not  play  a  role.  Then,  the  complement  of  linapp  does 
not  pose  any  problem,  as  it  is  a  Horn  clause:  an  application  in  not  linear  if  either  the  first  element  or  the 
second  in  not  linear. 


-^linapp  :  -^linear {app  Ei  E2) 

<r-  --^linear {El)  V  ^linear {E2). 

A  lambda  expression  in  not  linear  in  two  cases:  first  it  is  not  linear  in  its  first  argument: 

->linlaml  :  -^linear {I am{Xx  .  E  x)) 

-i/mx(Ax .  E  x). 

Secondly,  if  its  body  is  not  linear.  Now,  this  poses  new  problems,  as  we  have  to  negate  a  hypothetical 
and  parametric  clause.  Let  us  follow  our  nose  and  reason  by  example:  suppose  we  are  given,  in  the  empty 
context  a  goal  linear{lam{Xx .  lam{Xy .  x))),  which  is  unprovable,  since  the  second  lambda  term  is  not  linear 
in  y\  the  proof  tree  yields  the  failure  leaf  linx{Xy .  z),  for  a  new  parameter  z,  in  the  context  z:exp\  linear{z). 
Our  guiding  intuition  is  that  we  want  to  mimic  a  failure  derivation  so  as  to  provide  a  successful  derivation 
from  the  negative  definition,  i.e.  a  proof  of  -*linx{Xy  .z)  from  z:exp;  imear(z);  this  shows  one  prominent 
feature  of  complementation  of  an  HHF  formula:  negation  ‘skips’  over  V  and  since  it  needs  to  mirror 
failure  from  assumptions. 

Let  us  turn  to  complementing  the  judgment  ‘  linear  in  x’.  A  first  point  to  note  in  that,  by  encoding  an 
object  expression  ‘e’  with  a  pattern  variable,  we  must  make  sure  that  in  clause  linxapl ,  linxap2  the  variable 
X  does  not  occur  in  the  argument  which  is  not  checked.  We  thus  embed  the  clause  in  the  strict  A-calculus 
and  ‘E’  in  the  simple  term  'E  x^\  For  the  sake  of  readability  we  do  this  only  for  the  two  aforementioned 
clause  and  we  also  hide  ()^  annotations. 
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linxapl  :  linx{Xx .  app  {F  x)  {G 
linx{Xx  .F  x). 

Iinxap2  :  linx{Xx.app  {F  x^)  {G  x)) 

<- linx{Xx ,  G  x) , 

Via  term  complementation  and  intersection  in  the  strict  A-calculus  we  obtain,  among  others: 

-^linxapl  :  ->linx{Xx .  app  {F  {G  x^)). 

-ylinxap2  :  -^linx[Xx .  app  [F  x^)  {G  x^)) , 

Moreover,  similarly  the  case  of  top-level  application,  the  complement  of  linxapi  holds  if  the  body  does  not 
hold: 


-^linxapl  :  ->linx{Xx.app  {F  x^)  {G  x^)) 

-f-  -i/mx(Ax  ,F  x^) 

-ilinxap2  :  -ylinx{Xx .  app  {F  x^)  (G  x^)) 

-i/mx(Ax .  G  x^). 

Now,  let  us  examine  clause  linxlm  and  let  us  reconsider  the  failure  leaf  linx{Xy.z)  from  the  context 
z:exp;  linear {z).  In  a  first  attempt,  let  us  consider  what  the  complement  would  be  according  to  the  idea 
above: 


^  linxlm  :  -»/mx(Ax .  lam{Xy  ,E  x  y)) 

(V2/:exp. ’•^linx{Xx.E  x  y)). 

However,  there  is  no  way  to  obtain  a  proof  of  -^linx[Xy .  z)  from  the  current  context.  Indeed,  the  linxlm 
clause  does  not  carry  enough  information  by  itself  so  that  its  complement  can  mimic  the  failure  proof.  In  a 
sense  that  we  will  make  precise,  the  clause,  and  in  turn  its  predicate  definition  is  not  assumption- complete: 
once  it  has  introduced  a  new  parameter,  the  clause  only  specifies  how  to  use  it  in  a  positive  context.  It  is  up 
to  us  to  synthesize  its  dynamic  negative  definition,  in  this  case  exactly  -^linx{Xy .  z).  More  generally,  it  is  a 
characteristic  of  HHF  that  the  negation  of  a  clause  is  not  enough  to  determine  the  behavior  of  a  program 
under  complementation.  We  will  have  to  insert  (via  a  source-to-source  transformation)  additional  structure 
in  a  predicate  definition  in  order  to  completely  determine  the  provability  and  failure  of  goals  which  mention 
parameters.  By  observing  the  structure  of  all  possible  assumption  that  a  predicate  definition  can  make,  we 
will  augment  those  assumptions  with  their  negative  definition.  In  particular,  we  first  augment  the  clause 
linxlm: 

auguilinxlm)  :  /mx(Ax  .  lam{Xy  .Exy)) 

{\/y:exp.-^linx{Xx.y)  linx{Xx.E  x  y)). 

so  that,  by  complementation,  we  obtain 

-^augryQinxlm)  :  '^/mx(Ax .  lam{Xy  .Exy)) 

^  (yy:exp.^linx{Xx  .y)  — -^linx[Xx.E  x  y)). 

Moreover,  we  need  to  do  the  same  with  the  1  ini  am  clause,  since  the  linx  predicate  may  occur  as  a  subgoal: 

aug^{linlam)  :  linear  {I  am{Xx .  E  x)) 

^  linx{Xx  .E  x) 

<—  (Vx:exp.  {-flinx{Xy .  x)  A  linear {x))  '^linear {E  x)). 


In  summary  the  negative  program  is: 
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-~>linapp  :  -*linear{app  Ei  E2) 

-^linear{Ei)  V  ->/mear(F^2)- 
-ylinlaml  :  ->linear{la7n{Xx  .  E  x)) 

•f-  *-i/?'nx(Ax .  E  x) 

V  (ix:exp,  {-^linx{Xy  .x)  A  linear(x))  -^linear{E  x)). 

-i/mxapl  :  -^linx[Xx  ,app  {F  x^)  {G  x^)). 

-^Iinxap2  :  -^linx{Xx  .  app  {F  x®)  {G  x^)). 

-^linxapS  :  -i/mx(Ax  .  app  (F  x^)  {G  x^))  <- ->/mx(Ax .  F  x^ ). 

-^linxapA  :  -^linx[Xx  .  app  (F  x^)  (G  x^))  4-  -^linx{Xx.G  x^). 

-^linxlm  :  -^linx{Xx  Aain[Xy  .  E  x  y)) 

<—  {^y  :exp. -^linx{Xx  .y)  — >  ->linx{Xx  .  E  x  y)). 

While  it  is  not  impossible^  to  manually  come  up  with  this  program  by  writing  predicate  definitions 
formalizing  when  terms  are  strict  (that  is,  variable  arguments  occur  at  least  once)  and  ?;acwo?/s(that  is, 
arguments  are  guaranteed  not  to  occur)  and  then  by  merging  them  in  the  correct  fashion,  it  would  be  better 
to  have  this  done  automatically,  especially  considering  changes  or  extensions  of  the  original  program. 

Unfortunately  the  procedure  we  have  outlined  is  not  possible  in  general.  Consider  a  clause  encoding  the 
introduction  rule  for  implication  in  natural  deduction,  which  can  be  used  to  check  whether  an  implicational 
formula  trivially  holds: 

Example  5.3 

form  :  type 

imp  :  form  — >  form  — >>  form 
a  :  form 
b  :  form 

impi  :  nd{A  imp  B)  4-  {nd{A)  —)•  nd{B)). 

Following  our  earlier  remark  its  complement  would  be: 

->impil  :  ->nc?(a) 

'^impi2  :  -^nd{b) 

7 

impi  :  '~^nd{A  imp  B)  ((VC:/orm.  -^nd{C)  C  ^  A)  ->nd(F)). 

Apparently,  this  specification  is  incorrect  since  both  nd{a  imp  a)  and  -^nd{a  imp  a)  are  derivable  from  the 
empty  context.  We  can  isolate  one  major  problem:  in  clause  impi,  the  assumption  nd{A)  that  is  dynamically 
added  to  the  (statig)  definition  of  the  nd  predicate  overlaps  with  the  head  of  the  clause.  Thus,  a  goal  such 
as  “ind(a)  can  be  resolved  with  both  the  static  and  the  dynamic  program,  yielding  inconsistent  solutions. 
A  symmetrical  problem  can  occur  when  dynamic  and  static  clauses  do  differ  but  their  complements  do  not. 
Suppose  we  introduce  a  predicate  which  checks  if  a  number  is  even  and  non  zero  as  follows: 

e  :  ev{s{s{N)))  4—  (ei;(0)  ev(N)). 

Again,  our  naive  algorithm  would  incorrectly  yield: 

-nel  :  ->eu(0). 

->e2  :  -^ev{s{0)). 

7 

e  :  -yev{s{s{N)))  4-  {'iM:nat.-^ev{s{M))  — ^  ~-*ev{N)). 

^For  what  is  worth,  the  first  three  versions  of  such  a  program  I  wrote  were  mistaken. 


5.3.  BACKGROUND 


76 


Thus  both  eu(s(s(0)))  and  ^eu(s(s(0)))  are  incorrectly  provable.  The  problem  here  is  the  overlapping 
between  the  of  assumption  eu(0)  and  the  complement  of  the  head  of  the  e  clause. 

We  have  thus  isolated  two  main  issues: 

1:  Exhaustivity:  we  need  to  enrich  clauses  so  that  every  (ground)  goal  or  its  negation  is  provable. 

2.  Exclusivity:  we  need  to  isolate  a  significant  fragment  where  it  is  not  the  case  that  both  a  goal  and  its 
negation  are  provable. 

We  will  describe  in  Section  6.6  a  procedure  that  we  call  augmentation^  which,  by  enriching  the  program 
with  the  complement  of  assumptions  will,  will  achieve  exhaustivity  (Section  6.8);  moreover,  we  will  achieve 
exclusivity  with  the  restriction  to  complementable  programs,  formally  introduced  in  Figure  6.7.  To  anticipate 
the  idea,  a  clause  is  complementable  if  every  assumption  is  parametric  in  some  eigenvariable.  We  will  try 
to  motivate  in  Section  5.4  why  this  fragment  is  adequate  to  the  practice  of  logical  frameworks.  Section  5.5 
reviews  some  related  work  in  the  area  of  NF  and  embedded  implication. 


5.3  Background 

Traditionally  (and  ideally),  a  completion  construction  for  the  NF  rule  is  an  extension  of  a  program,  say 
E{P)  such  that,  in  a  logic  L  equipped  with  a  provability  and  finite  failure  relation,  say  hi  and  -^hi,  a. 
consequence  relation  \=i  and  a  negation  sign  for  any  given  goal  G  (ideally)  it  holds: 

1.  \-iGmE{P)\=^LG. 

2.  Hhjr,  G  mE{P)  (=L  -G  . 

Many  such  constructions  have  been  proposed  for  Horn  logic,  starting  from  the  Closed  World  Assumption 
(CWA)  [Rei78].  The  Clark  completion  [Cla78]  is  perhaps  the  most  successful  proof-theoretic  and  finitary 
explanation  of  NF:  the  main  idea  is  that  clauses  in  a  predicate  definition  should  be  seen  as  an  iff- definition^ 
thus  enforcing  the  minimality  condition  of  its  inductive  definition;  this  would  correspond,  in  mo  del- theoretic 
terms,  to  the  existence  of  a  least  intended  model.  The  if-part  states  the  condition  to  belong  to  the  inductive 
definition,  while  the  only-if  part  excludes  everything  else,  thus  providing  a  computable  approximation  to  the 
CWA.  This  is  well  understood  and  agreed  as  far  as  Horn  logic  is  concerned  and  confirmed  by  the  completeness 
of  finite  failure  w.r.t.  the  completion  [Apt90]. 

As  observed  first  by  Gabbay  [Gab85],  the  positive  logic  of  embedded  implication  is  not  classical  but 
intuitionistic  (actually  minimal).  When  coupled  with  negation  as  failure  in  all  its  generality,  its  meta-logic 
fails  to  have  some  straightforward  logic  properties,  as  detailed  in  Section  5.5.  The  key  difference  lies  in 
the  constructive  interpretation  of  implication  and  its  delicate  interplay  with  negation.  While  a  completion 
construction  is  possible,  it  may  be  not  equivalent  to  the  adjoining  of  the  only-if  part  of  the  program.  In 
particular,  it  not  warranted  to  form  the  negation  of  a  program  by  taking  the  contrapositive  of  the  completed 
definition;  this  is  intrinsically  due  to  the  operational  semantic  of  failure:  a  goal  D  ^  G  fails  iff  from  the 
(scoped)  assumption  D  we  have  that  G  fails.  Let  us  try  to  mirror  this  with  a  logical  connective: 

-n(D-^G)  A  D^-^G  (5.1) 

Similarly  for  parametric  judgments: 

■n(Va::AG)  A  'ixiA.^G 

No  standard  logic  of  negation  satisfies  the  above  rules.  In  particular,  it  is  erroneous  to  formulate  Clark’s 
completion  using  Nelson’s  strong  negation  [Nel49],  which  is  currently  held  as  the  meta-logic  of  negation  elim¬ 
ination  in  the  Horn  setting  [GL90,  Pea90].  Indeed,  strong  negation  brings  too  much  duality  to  intuitionistic 
logic  as  it  is  pushed  in  through  connectives  and  quantifiers;  in  particular  if  ^  denotes  strong  negation,  the 
following  holds: 


-  (D  G)  O  DA  -  G 
-(Va::AG)  o  3x:A-G 
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Strong  negation  may  be  “the  logic  of  information  structures”  [Wan93],  as  far  as  Horn  logic  is  concerned, 
but  it  is  definitely  not  the  meta-logic  of  negation  elimination  in  logical  frameworks  based  on  HHF.  It  is 
not  simply  a  question  to  endow  intuitionism  with  a  semi-classical  notion  of  negation,  while  preserving  the 
disjunction  and  existential  property.  The  hard  point  is  not  negation  in  itself,  but  its  interaction  with  a  more 
operational  Brower- Heyting-Kolmogorov  interpretation  of  implication. 

Example  5.4  Consider  the  program  consisting  only  of  the  clause  a  f-  (5  — >  c);  the  standard  completion 
would  be 

a  ^  {b  c)  A  —>b  A 

NoWj  fails  and  hence  should  follow  from  the  iff- completion:  still  intuitionistically  (yet  not  mini¬ 
mally)  follows,  while  ‘->a'  is  logically  independent  exactly  due  to  the  failure  of  equivalence  (5.1). 

We  explore  in  Section  5.5  how  this  issue  has  been  investigated  in  the  literature.  This  is  relevant  to  our 
enterprise  because: 

•  In  the  Horn  setting,  the  iff-completion  has  been  the  preferred  way  to  logically  motivate  the  transfor¬ 
mational  approach  to  negation,  as  we  have  seen  in  Section  5.1. 

•  In  [G098]  the  authors  persuasively  argue  that  the  unrestricted  addition  of  NF  to  languages  such  as 
N-Prolog  requires  the  switch  to  a  (three-valued)  modal  logic. 

Since  we  need  to  express  the  negation  of  a  predicate  in  the  same  language  where  the  predicate  is  formu¬ 
lated,  we  choose  to  restrict  the  set  of  programs  we  deem  complementable  in  a  novel  and  extensive  way.  This 
will  help  to  close  the  gap  between  the  two  poles  usually  associated  to  classic  and  intuitionistic  logic  program¬ 
ming,  i.e.  the  closed  versus  open  world  assumption.  We  will  define  a  class  of  programs  which  extend  the 
current  database  in  a  specific  regular  way,  by  ensuring  that  static  and  dynamic  clauses  never  overlap.  This 
property  extends  w.r.t.  the  complement  program  and  thus  has  the  side  effect  of  guaranteeing  the  consistency 
of  the  completion.  Finally  we  will  require  every  goal  to  conform  to  such  a  schema  context.  We  call  this 
approach  the  Regular  World  Assumption  (RWA).  We  argue  next  (Section  5.4)  that  this  class  of  programs  is 
just  what  the  doctor  ordered  for  logical  frameworks. 

5.4  Motivation 

Embedded  implication  in  intuitionistic  logic  programming  has  been  successfully  used  in  various  areas  of  logic 
programming;  we  can  roughly  divide  those  into: 

•  Meta-programming,  namely  specifying  and  implementing  (the  meta-theory  of)  deductive  systems. 

•  Hypothetical  reasoning  in  databases  [GR84,  BMV89,  Bon94]  or  simulating  imperative-style  program¬ 
ming  [BM90]. 

•  Incorporating  modules  and  local  predicate  definitions  [Mil89c,  GMR92,  KNW93]  and  state  encapsula¬ 
tion  in  object-oriented  programming  [HM90]. 

We  now  try  to  motivate  why  the  restriction  of  complementation  to  parametric  implication  (formally 
defined  in  Section  6.5)  is  pragmatically  adequate  for  our  intended  application. 

While  implementing  deductive  systems  embedded  implication  is  usually  coupled  with  higher-order  ab¬ 
stract  syntax  to  represent  scoping  constructs:  the  latter  is  typically  used  to  traverse  operators  like  abstrac¬ 
tions,  quantification  and,  more  pervasively,  to  represent  rules  with  hypothetical  premises.  In  this  application 
implications  are  typically  ‘covered’  by  an  intensional  universal  quantifier  which  express  the  parametricity  of 
the  assumption.  Dozens  of  examples  can  be  found  for  instance  in  [Pfe92].  One  counter-example  I  am  aware 
of  is  when  using  a  logic  framework  to  encode  derivability  in  an  object  logic:  here  meta-logic  contexts  are 
used  to  manage  object  logic  hypotheses,  as  in  Example  5.1.  We  feel  that  this  case  in  not  typical;  first  of  all  it 
is  questionable  (and  out  of  the  scope  of  a  logical  framework)  to  complement  recursive  enumerable  predicates 
such  as  general  provability.  Even  if  we  limit  ourselves  to  decision  procedures  as  propositional  logic,  we  are 
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in  a  sense  asking  for  a  self-referential  use  of  implication  as  we  wish  to  represent  implications  in  the  object 
logic  with  the  same  in  the  meta-logic.  In  this  case,  though  we  have  no  formal  proof  of  this,  we  think  we  have 
to  use  ad  hoc  techniques  such  as  explicit  management  of  hypotheses  say  as  lists;  a  similar  approach  is  taken 
in  [DM97]. 

Modules  are  usually  closed  assumptions  and  I  doubt  negation  is  useful  at  this  level.  Local  definitions,  as 
an  auxiliary  reverses  procedure  hidden  inside  the  naive  reverse  procedure  are  typical  only  in  higher-order 
logic  programming  languages  as  AProlog,  and  require  full  predicate  quantification.  We  conjecture  that  some 
of  those  programs  can  be  complemented  if  there  is  no  overlap  between  static  and  dynamic  clauses.  As  far 
as  object-oriented  programming  is  concerned,  more  recent  research  [BDLMOO]  has  now  moved  on  to  linear 
logic  programming  languages. 

The  possibility  to  simulate  the  availability  of  global  variables  in  logic  programming  has  been  advocated 
[G098]  as  the  main  motivation  of  the  intertwined  and  unrestricted  use  of  negation  and  embedded  implication. 
We  contend  that  sometimes  that  can  be  resolved  with  a  refined  notion  of  context  as  the  one  available  in 
linear  logic  programming:  this  has  also  the  side-effect  of  by-passing  the  issue  of  non-stratification. 

We  now  exemplify  how  to  eliminate  negation  from  non-stratified  N-Prolog  programs.  We  cannot  say  at 
the  moment  whether  this  transformation  can  be  generalized  and  eventually  mechanized.  The  following 
example  (taken  from  [G098])  is  a  non-stratified  program  to  compute  the  parity  of  a  relation  encoded  as  n 
entries  of  the  form  r{X),  where  ‘\-l-’  denotes  negation-as-failure: 

Example  5.5  (Parity) 

even  \-f  odd. 

odd  r(A’),  \-l~  mark{X),  (marfc(A’)  -4  even). 

We  can  write  a  Lolli  program  [HM94]  based  on  the  same  algorithm,  where  the  linear  context  contains  the 
entries  of  the  relation  and  the  initial  token  off;  let  — o  and  0  denote  linear  implication  and  conjunction: 

even  o—  r{X)  0  off  0  {on  —o  odd), 
even  o—  off. 

oddo—r{X)^  on  0  (o//  —o  even), 
odd  o—  on. 

The  tensors  consume  the  relation  and  turn  on  or  off  the  switch  accordingly  to  the  parity  of  the  relation. 

We  can  make  a  similar  remark  about  the  relative  pronoun  gap  parsing  example  in  Categorical  Grammars 
[PM90]  which  in  [BM90]  is  treated  with  intuitionistic  implication  plus  NF.  Hodas  [Hod94]  has  shown  how 
this  can  be  dealt  with  much  more  elegantly  again  with  linear  implication. 


5.5  Related  Work 

In  the  90’s  there  has  been  some  interest  in  combining  NF  with  what  is  known  as  intuitionistic  logic  program¬ 
ming.  The  underlying  languages,  with  the  exception  of  [Har93],  are  either  versions  of  N-Prolog  or  clausal 
intuitionistic  logic.  Due  to  the  inherently  difficulty  with  universal  quantification  mentioned  in  Subsection 
1.5.2,  the  treatment  is  deprived  of  parametric  goals.  The  emphasis  is  not  on  the  transformational  approach 
but  to  combine  the  non-monotonic  nature  of  NF  with  the  capability  of  embedded  implication  to  dynami¬ 
cally  update  the  current  program.  We  will  not  detail  here  the  proposed  semantics  (stable  models  [Dun92], 
monotonic  Kripke-like  models  [Har89],  non-monotonic  perfect  [BM90]  or  three- valued  [G098]  models). 

Gabbay  [Gab85]  pointed  out  that  NF  coupled  with  embedded  implication  seems  to  lead  to  curious 
paradoxes,  at  the  point  of  making  the  whole  enterprise  not  logically  sound.  These  problems  arise  already 
when  dealing  with  (propositional)  normal  clauses.  They  can  be  summarized  as  follows  (taken  from  [NL92]). 

1.  Failure  of  transitivity,  or,  in  other  words,  non-eliminability  of  the  cut  rule.  Let  V  be: 

a  i —  b  A  \  c. 
b  ^  c. 

Now,  V  c->  b  and  7^  h  5  -)•  a,  as  c  is  undefined,  but  c  o  is  not  provable  from  V. 
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2.  Failure  of  weakening.  Let  V  be: 


b  i —  CL. 

Then  P  h  6  but  a  -4  6  is  not  provable  from  V. 

3.  “Pathology  of  negative  information”,  i.e.  7^  h  \+  (o  ->  6)  iff  7^  h  a  (\+  5). 

There  are  several  solutions  to  this  riddle: 

•  A  modal  completion  [G098]. 

•  A  syntactic  distinction  between  implications  [BM90]. 

•  A  syntactic  distinction  between  predicates  [Har93]. 

We  detail  the  latter  next,  but  let  us  state,  for  the  record,  our  position: 

1.  Provability  must  take  into  account  the  context  where  the  query  is  attempted:  in  case  1.  the  first  query 
is  not  allowed,  since  fe  is  a  predicate  which  must  be  called  from  an  empty  context. 

2.  Similarly,  o  6  is  not  a  legitimate  query  as  b  must  be  queried  in  the  empty  context. 

3.  This  is  indeed  the  operational  semantics  of  failure  of  hypothetical  judgments;  the  issue  is  giving  a 
logical  justification  of  that  and  the  challenge  is  to  give  it  without  changing  the  logic  underneath, 

5.5.1  NF  in  Clausal  Intuitionistic  Logic 

We  can  regard  Clausal  Intuitionistic  Logic  as  a  close  cousin  of  uniform  proofs  independently  developed  by 
McCarthy  in  the  late  eighties  [McC88a,  McC88b].  NF  in  this  setting  has  been  investigated  in  Bonner’s 
thesis  [Bon91]  and  is  summarized  in  [Bon94].  The  framework  in  [BM90]  is  hypothetical  Datalog  (with 
possibly  infinite  constants)  and  embedded  implications.  They  assume  a  notion  of  negation-stratification  and 
develop  an  awkward  proof-theory  parameterized  by  strata;  a  non-monotonic  preferred  Kripke  model  theory  is 
presented  and  adequacy  is  demonstrated.  They  offer  the  following  solution  to  the  aforementioned  paradoxes: 
the  implication  sign  is  really  two  distinct  connectives,  one  for  clauses  and  one  for  goals.  Clause  implication 
is  interpreted  classically  and  it  is  transitive,  while  goal  implication  is  not  and  must  be  interpreted  non- 
monotonically.  Indeed  the  latter  has  a  modal  semantic  which  takes  into  account  the  extension  of  a  context 
as  a  shift  in  worlds  (in  the  Kripke  sense).  While  we  favor  a  syntactic  distinction  between  goals  and  clauses, 
the  uniform  proof  approach  views  implication  as  logical  (intuitionistic)  implication  whose  different  behavior 
is  simply  dictated  by  its  introduction  and  elimination  rule.  Moreover  we  do  not  aim  to  deal  with  arbitrary 
extensions.  We  have  hinted  in  the  previous  section  how  linear  logic  programming  can  address  examples  in 
this  paper  which  are  outside  the  fragment  we  are  able  to  treat. 

5.5.2  NF  and  N-Prolog 

This  approach  has  been  investigated  first  at  the  propositional  level  in  [NL92]  and  then  for  first-order  N-Prolog 
in  [G098]: 

“In  order  to  understand  N-Prolog  computations  with  NF.,  we  must  adopt  a  dynamic  view  of 
success  and  failure  [. . .  ]  we  cannot  determine  what  goals  succeed  or  fail  from  a  program  unless 
we  determine  what  goal  succeeds  or  fail  from  arbitrary^  extension  of  the  program”  [NL92]  pp. 

258. 

The  main  idea  is  again  that  a  computation  of  an  implicational  goal  D  ^  G  from  V  entails  a  shift 
to  another  world  where  V  ^  D  holds.  The  authors  propose  a  completion  construction  as  an  explanation 
of  negation-as-failure.  The  completion  is  formulated  as  an  infinite  theory  such  that  compn{V)  is  used  to 
evaluate  a  goal  G  roughly  if  we  need  n  extensions  of  the  program  to  compute  G:  for  example  for  a  clause 


^Emphasis  is  mine. 
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a  {b  c)  then  a  is  provable  iff  comp{V  U  b)  entails  c  and  a  is  false  iff  comp{V  U  b)  entails  ^c.  Note 
that  comp{V  U  6)  is  different  from  comp{V)  U  6  or  comp{V)  U  comp{b).  Moreover,  due  to  the  possible  non¬ 
monotonicity  of  arbitrary  extensions  comp{V)  and  comp{V  U  b)  may  be  jointly  inconsistent:  the  modality 
represents  then  the  shift  of  context.  The  completion  construction  does  not  seem  to  generalize  immediately  to 
universally  quantified  goals.  The  right  kind  of  logic  turns  out  to  be  a  three- valued  version  of  K4.  The  authors 
prove  soundness  and  completeness  of  ES LDNF  deviYability  w.r.t.  a  Kripke-Kleene  fixpoint  construction  for  a 
notion  of  non-floundering  programs.  The  three- valued  approach  avoids  the  restriction  to  stratified  programs. 

5.5.3  NF  in  First-Order  Uniform  Proofs 

Harland’s  thesis  [HarQlb]  is  an  in-depth  analysis  of  Uniform  Proofs  and  NF  at  the  first-order  level.  Unfortu¬ 
nately,  his  approach,  though  sound,  is  not  adequate  to  our  purposes,  as  we  shall  argue  next.  Harland  inherits 
the  traditional  ‘boolean’  attitude  w.r.t.  the  closed  world  assumption:  predicates  are  either  completely  defined 
(CWA),  as  in  the  append  program,  or  incomplete  (OWA);  while  this  distinction,  he  maintains,  is  essentially 
semantic  and  therefore  enforced  by  user  declarations,  the  latter  coincide  with  the  programs  where  temporary 
assumptions  are  made,  i.e.  clauses  with  embedded  implications.  Thus  NF  would  make  sense  only  for  the 
former,  since  how  will  you  apply  the  CWA  to  something  that  is  by  definition  incomplete?  Therefore  those 
programs  would  require  some  form  of  real  (say  minimal)  negation,  much  as  in  [Mil89c,  Mom92].  Technically, 
this  is  achieved  by  distinguishing,  for  all  predicates  occurring  in  the  signature,  those  which  appear  negatively 
versus  positively  in  the  body  of  clauses.  The  two  sets  are  required  to  be  disjoint.  This  of  course  simplifies 
the  later  development,  but,  unfortunately,  if  a  predicate  which  appears  negatively,  i.e.  it  is  assumed,  cannot 
occur  positively,  then  it  will  never  be  used  in  the  derivation.  Its  assumption  is  totally  irrelevant  to  the  com¬ 
putation  and  may  be  discarded  from  the  program.  This  fragment  therefore  collapses  to  normal  programs 
with  extensional  quantification.  While  it  is  possible  to  enforce  differently  the  distinction  between  complete 
and  incomplete  predicates,  we  are  indeed  interested  to  apply  negation  to  incomplete  predicates,  although  in 
a  restricted  fashion. 

Then  Harland  shows  how  to  formulate  the  completion  as  a  first-order  HHF  formulae  so  as  to  simulate  NF 
as  derivability  in  the  uniform  proof  system.  The  executable  completion  is  formulated  through  contraposition. 
Programs  are  assumed  to  be  locally  stratified,  hence  the  completion  is  consistent.  Thus  Harland  identifies  the 
completed  program  with  its  iff-completion,  though  he  correctly  has  ->{D  G)  =  D  ->G.  This  operational 
interpretation  of  the  augment  instruction  w.r.t.  negation  is  nevertheless  inconsistent  with  its  formulation  in 
the  completion,  where  negation  is  interpreted  classically  insofar  as  the  negative  completion  of  Q  "f-  G  is  seen 
as  -*{Q  A  -'G);  again  this  holds  only  because  NF  cannot  be  applied  to  incomplete  predicates.  The  classical 
attitude  carries  over  to  universal  quantification,  which  is  only  allowed  to  be  extensional.  Harland  so  does  not 
stress  the  intrinsic  connection  between  implication  and  parametric  universal  quantification,  Extensionality  is 
achieved  through  covering  as  in  [MMP88],  though  the  role  of  the  DC  A  (Domain  Closure  Axiom)  is  not  made 
explicit.  Therefore  Harland  is  not  able  to  correlate  extensional  uniform  proofs  with  intuitionistic  provability 
plus  DC  A.  This  is  not  surprising  since  its  partition  between  complete  and  incomplete  predicates  restricts 
the  AUGMENT  rule  so  that  its  operational  provability  relations  are  not  conservative  extensions  of  standard 
uniform  provability:  this  makes  the  usual  proof-theoretic  adequacy  impossible.  Moreover  no  operational 
semantics  for  coverings  is  described:  not  only  is  the  role  of  free  variables  introduced  by  coverings  unclear, 
but  the  extensional  rules  are  totally  non-deterministic  w.r.t.  the  choice  of  the  correct  covering. 

An  equality /inequality  solver  on  the  Herbrand  universe  is  described  and  used  to  solve  inequalities  stem¬ 
ming  from  the  completed  definitions:  this  algorithm  is  different  from  the  traditional  uncover  algorithm  as  it 
does  not  return  the  most  general  solution  but  a  possibly  infinite  enumeration  of  the  latter;  this  permits  not 
to  left  linearize  the  program. 

5.5.4  Partial  Inductive  Definitions 

Partial  Inductive  Definitions  ([Hal91])  (PID)  are  a  generalization  of  inductive  definitions  [Acz77]  to  definiens 
containing  implications  and  in  a  finitary  version  ([Eri93])  of  parametric  quantification:  they  also  incorporate 
a  proof-theoretical  notion  of  closure  somehow  as  in  the  CWA,  but  brought  upon  by  the  principle  of  definitional 
reflection.  Not  every  PID  can  be  given  a  logical  (in  the  broad  sense)  reading,  see  for  instance  the  ‘functional’ 
definition  of  the  plus  predicate  in  [Kre92],  and  this  may  be  the  source  of  some  misunderstandings.  In  a  logical 
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setting,  following  [SH93],  we  can  take  an  intuitionistic  sequent  calculus  parameterized  by  a  set  of  definitions^ 
i.e.  a  finite  set  of  clauses  6  ^  G,  where  b  ranges  over  atomic  predicates  possibly  with  free  variables.  For  a 
definition  P,  we  call  T>{a)  =  {aG  |  6  ^  G  G  P,  a  =  ab}.  In  the  spirit  of  the  “clauses-as-rules”  paradigm 
[HSH90,  HSH91]  we  add  for  every  defined  atom  a,  the  rules 

r  h  G  G  €  P(a)  {aT,  aG  \-  A  :  a  =  mgu{a,  5),  6  G  E  P} 

- V-R  - P-L 

r  h  a  r,  a  h  A 

Call  this  DR{'D),  for  a  given  set  of  definitions  P.  The  first  rule  corresponds  to  backchaining  on  the  definitional 
clauses,  while  the  second,  in  its  cj- version,  reflect  the  closure  clause  of  (partial)  inductive  definitions.  They  can 
be  seen  as  right  and  left  introduction  rules  for  the  atomic  proposition  (inductive  definition)  a.  This  feature 
is  used  in  the  programming  language  GCLA  [MAK91]  which  allows  both  functional  and  logic  programming 
style.  Search  is  conducted  on  sequents  F  h  G  and  it  is  clearly  not  amenable  of  an  uniform  proof  approach, 
since  focusing  is  impossible  as  at  any  time  each  of  the  assumption  in  the  antecedent  may  be  expanded  via 
P  -  L.  Indeed,  without  mentioning  the  issue  of  contraction,  control  in  this  setting  has  proven  to  be  a  major 
problem  and  this  has  lead  to  GCLA  //,  which  is  a  middle  ground  between  a  logic  programming  language 
and  a  tactic  theorem  prover  [Kre92];  here  the  user  must  not  only  provide  the  program  in  the  form  of  a  set 
of  definitions,  but  also  to  what  amount  to  a  tactic  (expressed  itself  as  a  PID)  to  direct  the  search  and  avoid 
a  large  number  of  meaningless  (in  logical  terms)  answer  substitutions. 

One  basic  problem  is  the  failure  of  global  cut-elimination:  as  discussed  in  [SH93],  in  order  to  reduce  an 
atomic  cut  formula  through  the  P-L/P  —  R  reduction,  we  may  generate  a  cut  with  a  more  complex  definiens 
formula.  Definitions  are  called  total  if  they  enjoy  cut-elimination,  otherwise  they  are  partial  Classes  of  total 
definitions  include: 

•  Implication-free  programs. 

•  Contraction-free  logics. 

•  Stratified  program  w.r.t.  negation. 

•  Stratified  program  w.r.t.  implication  [DM97]. 

In  the  latter  case,  predicates  are  assigned  levels:  the  latter  are  then  extended  to  formulae,  so  as  to 
forbid  recursion  through  negative  occurrences;  the  level  of  an  implication  is  essentially  the  order  of  its  type: 
definitions  are  allowed  only  if  the  level  of  the  heads  is  strictly  greater  than  the  level  of  the  body:  for  instance 
a  <^=  5  a  is  allowed  while  a  <=  a  bis  not.  This  excludes  every  left-recursive  definition. 

Definitional  reflection  has  been  claimed  to  bring  in  a  proof-theoretic  notion  of  negation,  although  it 
would  be  more  accurate  to  say  that  it  allows  a  metaAevel  notion  of  closure.  Intuitively,  V  —  L  works  as 
the  only-if  clause  of  the  completion:  a  proof  of  \ — la  is  a  proof  of  a  h  1.  This  has  been  formalized  by 
Schroeder-Heister  who  has  proven  [SH93]  the  equivalence  between  comp{P)  (formulated  in  a  sequent  style  as 
a  left  and  a  right  rule  for  each  completed  predicate,  plus  a  formulation  of  free  equality  again  in  sequent  style) 
and  DR{P)  \J  {x  =  x  <=  T),  where  the  latter  clause,  thanks  to  definitional  reflection,  suffices  to  define  free 
equality.  This  result  holcis  for  any  kind  of  definition  and  does  not  depend  on  cut-elimination.  This  has  been 
hailed  by  the  GCLA  group  as  a  major  benefit  of  allowing  definitional  reflection,  in  so  far  as  negative  goals 
are  simply  a  special  case  of  implicational  ones  and  therefore  should  be  able  to  compute  answer  substitutions. 
This  claim  has  some  validity  as  far  as  normal  stratified  programs  and  ground  goals  are  concerned:  indeed 
they  may  yield  only  sequents  such  that  if  the  antecedent  is  non-empty,  it  must  be  atomic  and  the  consequent 
is  J_:  then  P  -  L  must  be  used  to  introduce  a  definiens  from  a  lower  stratum.  As  mentioned  above,  search 
is  here  cut-free.  Thus  for  example,  ■^euen(s(0))  is  provable  as  follows,  suppressing  here  any  reference  to  the 
(empty)  parameter  context: 

- V-L 

et;en(s(0))  l-def(even)  ^ 

•“defcet-en)  even(s{0))  ± 
since  the  definiens  of  even(s(0))  is  empty. 


^  R 
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The  equivalence  with  the  completion  holds  irrespectively  of  the  presence  of  local  variables.  In  this  remark, 
then  this  approach  would  seem  to  have  an  edge  on  the  transformational  one  since  it  does  not  need  extensional 
quantification. 

Example  5.6  Consider  a  graph  edpe(a,  b),edge{b^  c):  the  deduction  ofpath{b^  a)  h  ±  leads  to  the  conjunctive 
goals  {{edge{b,a)  h  ±),{edge{b^  Z)  Apath{Z,a)  h  ±)},  where  Z  is  a  local  logic  variable;  then  there  is  a 
computation  which  reduces  io  ± . . .  1-  JL. 

On  the  other  hand,  some  of  the  familiar  problems  with  negative  goals  arises  when  concerned  with  open 
queries.  When  logic  variables  are  allowed  PID’s  give  the  usual  unsound  reading  to  existential  queries  and 
one  is  faced  again  with  the  question  of  failure  substitutions.  For  example  the  query  ^def{even)  Bx->even{x) 
yields  even{X)  ^defieven)  d-;  the  rule  V  —  L  will  loop,  being  unable  to  compute  to  what  amounts,  in  our 
terms,  to  Not(O)  nNot(s(5(y))).  In  other  terms,  definitional  reflection  uses  unification  to  consider  the  given 
definition  as  a  minimal  inductive  definition,  but  this  does  not  allow  to  compute  values  that  lies  outside  this 
very  definition.  Although  it  is  true  that  bde/{even)  -'e'i;en(s(0))  and  hence  bde/(even)  .“-»euen(s(a;))  by 
3  —  it  does  not  mean  that  the  above  query  will  retrieve  the  appropriate  instantiation.  This  seems  to 
point  to  an  operational  incompleteness  of  definitional  reflection  w.r.t.  open  queries.  Besides,  this  is  only 
an  intellectual  curiosity,  since  the  aforementioned  problems  with  search  preclude  anyway  its  adoption  as  a 
mechanism  to  handle  negation.  Not  surprisingly,  I  am  not  aware  of  any  implementation  of  the  a;-rule  for 
the  purpose  of  enhancing  a  logic  language  with  negation,  rather  than  to  allow  an  idea  of  a;-quantification. 
As  a  matter  of  fact,  the  rule  of  definitional  reflection  used  in  GCLA  is  the  weaker  ‘logical’  version  [MAK91] 
which  does  not  imply  in  general  the  completion.  As  Schroeder-Heister  put  it: 

“If  we  want  to  extend  logic  programming  with  definitional  reflection  then  the  logical  rule  is  more 
adequate  than  the  u)  one.  The  idea  of  successfully  computing  an  answer  substitution,  which  is 
central  to  logic  programming,  is  bound  to  strong  closure  under  substitution  [lifting  lemma],  which 
holds  for  the  [former]  but  not  for  the  [latter]...”  [SH93]. 

In  fairness,  Eriksson  [Eri92]  has  proposed  a  even  stronger  rule,  which  encompasses  the  two  other  versions 
. .  of  course  with  many  algorithmic  problems  to  efficiently  compute  bindings  at  application  of  [such  a  rule]”, 
ibidem. 

Notwithstanding  the  similarity,  PID’s  give  a  striking  different  operational  semantics  to  HHF.  Consider 
for  example  the  definition  a  <=  b  ^  c:  then  the  sequent  I — la  has  no  cut-free  proofs,  while  h  a  is  provable 
against  the  operational  intuition  of  HHF: 

- V-L 

6hc 

- >-R 

- V^R 

h  a 

Here,  since  b  has  no  definition,  it  is  assumed  to  be  false  and  hence  entails  anything.  This  means  that  X>  —  L 
is  not  conservative  w.r.t.  the  positive  fragment,  i.e.  the  former  rule  may  be  used  in  proving  positive  atoms. 
In  the  complementation  approach  instead,  positive  and  negative  fragments  are  disjoint  and  exclusive.  This 
is  not  surprising  since,  as  mentioned  above,  the  equivalence  with  the  iff  completion  induces  an  operational 
semantics  of  failure  which  is  distinct  from  the  one  typical  of  HHF.  Moreover  definitional  reflection  does  not 
match  well  with  parametric  judgments.  Consider  a  goal  \~def{open)  ~^open  lam{Xx  ,x),  which  is  clearly 
unprovable:  a  naive  logic  programming  interpreter  augmented  with  definitional  reflection  will  eventually  yield 
the  goal  •;  Vx  :  exp.  open  x  ^def{open)  -k.  In  the  failed  derivation  of  the  same  positive  goal,  a  goal-oriented 
strategy  would  introduce  a  new  parameter  and  try  the  goal  y:exp\  T  \-def{open)  open  y.  Yet,  the  same  idea 
does  not  work  when  definitional  reflection  is  allowed  as  now  the  universal  in  on  the  left  and  we  can  only  do 
(inverted)  universal  elimination.  Moreover,  consider  now  the  query  w:exp\  T  \-def  {dosed)  closed  lam{\x .  w) 
which  should  fail:  yet  this  would  yield  a  sequent  u;,  y\exp\  closed  y  \~def  (dosed)  closed  w  and  since  V{closed  y) 
is  empty  (both  under  the  logical  and  version),  we  would  get  the  success  node  *,  JL  ^def  (dosed)  closed  w\ 

The  main  confusion,  in  general,  may  lie  in  attempting  to  give  a  naive  goal-oriented  reading  to  a  sequent 
calculus  augmented  with  the  definitional  reflection  rule.  The  latter  is  instead  a  meta-level  closure  operator; 
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this  is  indeed  how  it  is  used  in  meta-logics  as  M2  [SP98]  and  FOA^^  [MM97].  If  we  try  to  use  it  as  a  logic 
programming  engine  for  HHF  with  negation,  i.e.  we  add  introduce  logical  variables  and  dynamic  assumptions, 
it  breaks  down  and  reveal  its  meta-theoretic  nature.  We  also  remark  that  adopting  our  restriction  to 
complementahle  programs  (  formally  introduced  in  Figure  6.7)  would  not  help,  as  far  as  logic  programming 
is  concerned.  Instead,  we  conjecture  that  the  proof  of  cut-elimination  given  in  [MMOO]  can  be  extended  to 
those  programs,  allowing  to  enhance  the  range  of  FOA^^  significantly. 


Chapter  6 

Clause  Complementation 


In  this  chapter  we  introduce  the  source  language  and  its  uniform  proofs  system.  Before  formalizing  the 
restriction  to  terminating  programs,  we  establish  the  fundamental  notion  of  context  schema.  This  allows 
to  enforce  the  Regular  World  Assumption  (RWA),  on  which  clause  complementation  is  built.  Finally,  we 
discuss  how  to  give  an  operational  semantics  to  our  system. 


6.1  The  Logic 

We  will  use  the  following  slightly  unusual  sourcejanguage.  Again,  we  fix  a  signature  S  in  advance  which 
would  otherwise  clutter  the  presentation;  let  M,iV  be  sequences  of  simple  terms: 

Atoms  Q 
Goals  G 

Clauses  D 

First  and  foremost,  we  restrict  ourselves  to  clauses  of  at  most  third-order,  that  is  we  allow  HHF  which 
only  make  Horn  assumptions.  This  simplifies  the  presentation  of  the  complement  algorithm,  but  it  is  not 
an  unsurmountable  obstacle;  we  comment  on  this  and  other  restrictions  in  the  Conclusions  (Chapter  7). 
Differently  form  standard  presentation  of  HHF,  we  do  not  allow  existential  goals.  This  rules  out  open 
queries  and  local  variables,  as  well  as  spares  us  from  the  heavy  machinery  of  mixed  prefixes  [Mil92].  On  the 
other  hand,  we  allow  disjunction  between  clauses,  equality  and  inequality.  While  disjunction  among  clauses 
will  be  eliminated,  inequalities  will  survive,  although  they  will  always  be  solvable  at  run-time  by  a  simple 
syntactic  check,  as  we  will  see  in  due  time  (Section  6.9).  This  simplifies  their  treatment  in  type-theoretic 
languages  such  as  Twelf  where,  in  general,  (in)equalities  should  be  viewed  as  types  inhabited  by  appropriate 
proof  terms.  The  tokens  T,  J_  may  be  decorated  with  a  predicate  symbol,  as  explained  in  Subsection  6.1.1 
and  Definition  6.21.  Finally,  we  remark  that  ‘-i’  is  not  a  connective,  but  a  name  constructor  for  atomic 
formulae. 

Parameter  Contexts  F  ::=  •  |  F,  x:A 

Assumptions  V  T  |  P  A  D 

We  call  a  pair  of  concrete  context  and  assumption  F;  P,  such  that  all  parameters  occurring  in  P  are  mentioned 
in  F,  a  (run-time)  context  We  make  the  usual  conventions  on  contexts,  in  particular  we  avoid  mentioning 
the  leading  •  and  T  elements. 

We  use  the  notation  P  C  P  A  P  to  indicate  that  P  is  a  top-level  conjunct  in  the  P  or  in  P. 

We  now  introduce  the  uniform  proofs  judgments  for  provability  and  denial  in  Figure  6.1  and  for  immediate 
implication  and  denial  in  Figure  6.2.  While  the  system  for  denial  is  introduced  for  technical  reasons,  namely 
the  proof  of  the  Exhaustivity  Theorem  6.33,  it  is  of  independent  interest,  since  it  provide  evidence  (that 
is  proof  terms)  for  non-provability.  A  similar  system  was  presented  in  [Har91b],  although  in  a  simplified 
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-  f-yy 

F;Php  Va;:AG 

FiPhp  PaP»(5 

-  h  atm 

F;PhpQ 


F;PI/pGi  ^ 

-  /Ai 
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Figure  6.1:  Provability  and  denial 


setting  without  parametric  judgments.  We  remark  that  the  systems  for  denial  will  instead  not  be  needed  in 
the  proof  of  exclusivity  (Theorem  6,32). 

Due  to  the  presence  of  ‘V’  as  a  clause  constructor,  uniform  proofs  are  not  complete  w.r.t.  intuitionistic 
logic.  We  will  remedy  this  situation  in  Section  6.9.2.  The  rules  are  depicted  (when  possible)  in  two  columns 
where  every  row  displays  a  positive  rule  and  its  negative  counterpart. 

T]T>  G  Program  V  and  assumption  V  uniformly  entail  G. 

T^Vl/p  G  Program  V  and  assumption  T>  uniformly  deny  G, 

T\V  \-p  D^Q  Clause  D  from  PAP  immediately  entails  atom  Q. 

T\V  \/p  D^Q  Clause  D  from  P  A  P  immediately  denies  atom  Q. 

We  briefly  comment  on  the  rules:  the  (in)equalities  rules  simply  mirror  the  object  logic  symbols  =,^  in 
meta-level  (in)  equality.  The  denial  rules  for  implication  and  universal  quantification  reflect  the  operational 
semantics  of  unprovability  that  we  have  discussed  earlier.  Note  that  ;^V  is  an  infinitary  rule,  due  to  the 
meta-linguistic  extensional  universal  quantification  on  all  terms.  Rule  must  be  read  as:  for  every  well- 
typed  term  n  in  parameter  context  P,  Wx:A.D  immediately  denies  Q  if  so  does  [n/x]D.  Rules  h  V,  I/V  are 
instead  parametric  in  the  new  eigenvariable,  say  y;  the  ()^  superscript  reminds  us  of  the  parameter  condition 
on  y,  e.g.  that  y  does  not  occur  free  in  P;  P  nor  in  G.  We  will  use  this  notation  in  any  other  parametric  rule. 

Differently  from  the  latter,  we  will  also  use  global  eigenvariables,  say  u  (see  for  example  rule  =>  V  in 
Figure  6.3);  this  expresses  the  fact  that  in  those  rules  the  relation  holds  for  any  term;  those  parameters  are 
therefore  analogous  to  logic  variables.  We  will  pervasively  utilize  this  notation;  however,  to  avoid  notational 
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r;P  hp  ±»Q 


ThtiA 


T;V\/^  T»Q 
r;P  hp  [t/x]D'^Q 


r;P  hp  Vx:^.P»Q 


for  all  n  r  I-  n  :  A 


r;P  I/p  [n/x]P»(5 


F; P  hp  Di^Q 

- » 

r ;  P  hp  Pi  A  P2 

r ;  P  l“p  P2 

- » 

F; P  hp  Pi  A  D2^Q 

F;P  hp  Pi»(5 


F;Pl/p  Vx:^.P»Q 
Q  F;Pl7pPi^Q 


F5P  Itp  Pi  V  p2!i^Q 
F;P  Itp  P2^^Q 
F5P  Itp  Pi  V 
F;  P  hp  P2>5>Q 


F ;  P  hp  Pi  V  P2 


FjP  l/rj  Piiii^^Q 


F;Pi/p  P2»Q 


F;P  /p  Pi  AP2»Q 
F;PhpP»Q  F;PhpG 
F;PhpP^G»g 


FjP  Itp 

F;PI/pP^G»(3 


F;P!/pG 


F;Pl/pP^G»g 


jfe>— >-2 


Figure  6.2:  Immediate  entailment  and  denial 
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clutter,  when  possible  we  shall  not  keep  an  explicit  record  of  global  parameters,  but  we  agree  to  implicitly 
gather  them  in  a  pool  which  we  can  access  when  needed,  in  particular  to  type-check  substitutions,  see 
Section  6.2. 

For  the  sake  of  conciseness  we  will  often  use  in  this  thesis  the  following  rule  schema,  where  J{X^  R)  is  a 
judgment  involving  a  token  X  ranging  over  a  set  T  and  a  relation  R: 


X£T 

J{X,R) 


RX 


6.1.1  T -Nor  malizat  ion 

We  show  in  this  section  how  to  put  every  program  in  a  normalized  format  w.r.t.  assumptions  so  that  every 
goal  in  the  scope  of  an  universal  quantifier  depends  on  some  assumption,  possibly  the  trivial  clause  T.  This 
has  also  the  effect  of  ‘localizing’  the  trivial  assumption  to  its  atom,  a  property  will  be  very  useful  while 
performing  augmentation,  see  Section  6.6. 

We  first  state  some  basic  properties  of  provability. 

Lemma  6,1  (Weakening) 

L  //  F;  P  h  G,  then: 

(a)  {r,x:A);VhG. 

(b)  r;{VAD)\-G. 

2.  //r;PhP>>>(3,  then: 

(a)  (r,  x:^); P  h  P»<3. 

(b)  r;(PAP')hP»(5. 

Proof:  A  straightforward  mutual  induction  on  the  given  derivations.  □ 

In  the  proof  of  Theorem  6.5  we  will  need  the  following  form  of  Strengthening: 

Lemma  6.2  (T-Strengthening) 

1.  //r;(PAT)  hG,  t/ienr;PhG. 

2,  If  T;  (V  AT)  \-  D»Q,  then  D»Q, 

Proof:  By  an  easy  mutual  induction  on  the  structure  of  the  given  derivations.  □ 

Normalization  is  realized  in  Figure  6,3  by  the  two  judgments  D  and  r;P  h  G  G^.  The 

only  interesting  case  is  when  we  reach  an  atomic  goal:  if  no  parameter  has  been  introduced,  the^clause  does 
not  require  any  normalization.  If  FjP  is  non-empty,  we  adopt  a  brute-force  approach  and  add  the  trivial 
clause  for  every  predicate  in  the  signature.  This  is  largely  unnecessary,  but  it  gives  a  very  simple  account  of 
mutually  recursion,  without  an  explicit  appeal  to  a  call  graph.  As  a  matter  of  fact,  we  would  really  need  to 
T -normalize  an  atom  Q  with  the  trivial  clause  for  every  predicate  that  is  mutually  recursive  to  Q  and  such 
that  the  type  of  the  parameter  in  the  context  is  not  subordinate  [Vir99]  to  the  type  of  Q.  On  the  other  hand 
Theorems  6.4  and  6.5  ensures,  as  obvious,  that  this  program  transformation  is  harmless,  since  it  preserves 
provability  and  denial.  Moreover,  we  will  engineer  the  rule  for  clause  complementation  so  that  the  irrelevant 
will  be  inactive.  We  will  remove  those  irrelevant  augmentations  in  a  final  pass  (Section  6.9.2). 

Example  6.3  Consider  the  lambda  clause  in  the  open  program: 

oplam  :  VE :  exp  ->  exp,  open  {lam  E) 

^Wx:  exp.  open  {E  x). 
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oplam  oplamJ  j  i.e, 

oplamJ  :  ^E\exp  exp,  open  {lam  E) 

^  iyx : exp,  J open  open  {E  x)). 

Consider  this  fragment  of  code  involving  two  mutually  recursive  predicates: 


Then: 


qlam  :  'iE :  exp  -4  exp,  q  {lam  E) 

<r-  Vx:exp.p  {E  x). 

papp  :  VjEi  :  exp,  \/E2 :  exp,  p  {app  Ei  E2 ) 
q  El  A  p  E2  • 


qlam^  :  \fE :  exp  -4  exp,  q  {lam  E) 

^  (Vx:exp.  Tp  ATq  p  {E  x)). 


In  examples,  we  will  not  mention  inactive  T  clauses. 

We  start  by  showing  that  this  transformation  preserves  run-time  provability.  We  extend  the  notion  of 
application  of  a  substitution,  notation  [i/x]F,  to  a  formula  F,  More  in  general,  we  denote  with  [6]F  the 
application  of  0  to  F.  We  will  also  need  an  operation  of  composition,  say  ai  -  era,  such  that  [ai  *  a2]F  = 
[(T2]{Wi]F). 

Theorem  6.4  Let  r';P'  G  ^  G'^ ,  D  ^  D'^ ,  D  ^  and  T  h  6* :  $. 

1.  If  T;  [e]V  h  [9]G,  then  T;  [e]V'^  h  [e]G^ . 

2.  IfT;  [e]V  h  [0]P»[0]Q,  then  T;  [6]V'^  \-  [e]D^y>[9\Q. 


Proof:  By  mutual  induction  on  the  structure  of  the  derivation  of  7  ::  T\[6\D  h  [6]G  and  inversion  on 

7'  ::  h  G  G^  together  with  S  ::  F;  [0]!)  h  [0]L)»[0](5  and  inversion  on  5'  D  ,  We  sketch 

only  some  cases: 

Case;  7  ends  in  h  At  and  7'  is  =>  X,  At-emp:  trivial. 

Case:  7  ends  in  h  At  and  7'  ends  in  =>  At: 


T-,[d]v\-[e]Q 

r-,  [e]v  [6]{v  AV)»[e]Q 

r;[6/jp'r  1-  [9]V  A'V'^»[e]Q 

r;  ([0]P^  A  (Apes  Tp))  I-  [9]V  A  V^»[9]Q 

r;([0]P^A{Apgs  T^))\-[9]Q 

r;[0]P^^(Apes  Tp)^[0]Q 

r;  [9]-D  H 


By  hypothesis 
By  sub-derivation 
By  IH2 

By  repeated  Weakening 
By  rule  h  At 
By  rule  I--4 

By  rule  =^>  At 


The  other  cases  follows  immediately  by  IH  1  and  2. 


□ 


Now,  the  converse: 

Theorem  6.5  Let  T’-,V'  \-  G  ^  G'^ ,  D  ^  ,  V  ^  andT  \-  9  :  $. 

1.  IfT;  [9]V'^  H  [9]G'^,  then  T;  [9]V  h  [9\G. 
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■\T^Q 


Di  ^  Dj 

Di  A  D2 
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X  G  {T,  ±}  or  (dis)eq 

_ _  T 
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Figure  6.3:  T-Normalization 
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2.  //T;  [e]V^  h  [e]D'^»[e]Q,  then  T;  [9]V  h  [e]D»[0]Q. 

Proof:  By  mutual  induction  on  the  structure  of  7  ::  T;  [0]!)^  h  [0]G~^  and  6  ::  F;  [9]V^  h  as 

above  but  using  T-Strengthening  (Lemma  6.2)  in  place  of  Weakening.  □ 

An  analogous  result  can  be  proven  w.r.t.  failure;  the  latter  would  require  T-Weakening  and  Strengthening 
w.r.t.  the  (immediate)  denial  relation.  On  the  other  hand,  the  above  result  will  suffice,  if  we  restrict  to 
terminating  programs  as  we  will  do  in  Section  6.3.  First,  we  need  to  establish  a  theory  of  context  schemata 

6.2  Context  Schemata 

In  this  Section  we  address  the  properties  of  contexts^ .  Hereditary  Harrop  formulae  differ  from  Horn  clauses 
in  that  they  may  dynamically  extend  the  current  signature  and  program;  this  is  reflected  in  the  provability 
(and  denial)  relation  which  is  parameterized  by  a  run-time  context  F;  P.  As  we  have  argued  before  (Section 
5.5)  we  cannot  obtain  closure  under  clause  complementation  for  the  full  logic  of  HHF,  but  we  have  to  restrict 
ourselves  to  a  smaller  (but  significant)  fragment.  This  in  turn  entails  that  we  have  to  make  sure  that  during 
execution  whenever  an  assumption  is  made,  the  latter  stays  in  the  fragment  we  have  isolated.  Technically, 
we  proceed  as  follows: 

•  We  extract  from  the  static  definition  of  a  predicate  the  general  ‘template’  of  a  legal  assumption. 

•  We  require  dynamic  assumptions  to  conform  to  this  template. 

We  thus  introduce  the  notion  of  schema  satisfaction,  for  which  we  will  need  the  following  data  structure: 
a  schema  context  abstracts  over  all  possible  instantiation  of  a  run-time  context.  To  account  for  that,  we 
introduce  a  quantifier-like  operator,  say  SOME  $.P,  which  takes  a  clause  and  existentially  bounds  its  free 
variables,  i.e.  the  global  parameters  occurring  in  P.  We  use  the  following  reification  of  schemata:  do  not 
confuse  ‘||’,  which  is  used  to  represent  schema  alternatives  in  the  object  language  with  ‘|’  which  does  the 
same  in  our  informal  meta-language. 

Contexts  Schemata  S  ::=  o  |  5||(F;  SOME  P) 

Example  6.6  The  schema  context  grammar  induced  by  the  linear  predicate  (Example  5.2)  is  as  follows: 

Siinear  =  o||x:exp;  linear {x)\\x:exp\T Hnx 
while  a  possible  run-time  context  is 

yi:exp,y2:exp,yz:exp;  Tunx  AT/ina:  A  linear {y 3) 

Since  every  possible  assumption  is  closed,  there  are  no  existential  bindings.  Consider  instead  the  clauses  for 
type-checking  in  the  simply  typed  calculus: 

ofapp  :  VEi,E2  :exp.  Vri,T2,r:tp. 
of  {app  El  E2)  T2 

<-  of  El  {arrow  Ti  T2) 
i —  of  E2  Ti. 

of  lam  :  VE :  exp  exp.  VTi ,  T2  •  tp. 

of  lam{E)  {arrow  Ti  T2) 

^  {\fx:exp.of  X  Ti  ^  of  {E  x)  T2). 

Then  the  schema  context  is: 

Sof  =  o||x:exp;  SOME  u  :  tp.  of  x  u 

where  ‘u  ^  is  a  global  parameter. 

^This  section  is  inspired  by  Schiirmann’s  treatment  of  similar  material  in  his  dissertation  [SchOO]. 
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We  will  also  need  to  disambiguate  blocks  in  run-time  contexts;  overlapping  may  indeed  happen  when  the 
alternatives  in  a  context  schema  are  not  disjoint.  For  example,  suppose  we  are  given  the  following  schema 
and  partial  run-time  context: 


S  =  o\\x:exp;p{x)\\x:exp]p{x)  A  q{x) 
yiiexp,  y2'exp;p{yi)  Ap{y2) 

It  is  not  uniquely  determined  whether,  say,  piyo)  is  an  instance  of  the  first  alternative  or  a  prefix  of 
the  second  one.  To  determine  that,  we  simply  modify  the  provability  and  denial  rules  h  At  and  1/  At  by 
‘packaging’  run-time  contexts  into  blocks  with  a  bracket  operator  [•].  Intuitively,  a  block  is  complete  when 
an  atomic  conclusion  is  reached  during  the  deduction.  It  is  therefore  bracketed  when  the  run-time  context 
is  passed  to  the  immediate  implication  judgment. 

DQPaV  rn ;  [P]  D»Q  for  every  D  CV  aV  \/v  D»Q 

-  h  At  -  \/  At 

r;VhvQ 

Still,  we  need  to  ‘flatten’  blocks,  so  that  re-bracketing  during  execution  will  be  immaterial  on  already 
delimited  blocks;  we  thus  require  the  bracket  operator  to  satisfy  the  following  absorption-distribution  law: 

rrn,r'i  =  rnjn 

\\V]AV']  =  \V]A\V'] 

We  are  now  ready  to  introduce  schema  satisfaction;  this  is  accomplished  by  the  following  judgments: 

•  \=sD:  clause  D  satisfies  schema  S. 

•  F;  P  \  G  <  5:  (partial)  run-time  context  F;  P  together  with  goal  G  satisfies  schema  S. 

•  T'yV  <  S:  (completed)  run-time  context  F;P  satisfies  schema  <S. 

•  F  h  F';P'  £  S:  block  F';P'  in  context  F  occurs  in  schema  5. 

First,  we  say  that  a  completed  block  occurs  in  a  schema  when  the  block  is  an  alphabetic  variant  of  some 
instantiation  of  one  of  the  alternatives  of  the  schema: 

r\- 6:^  (F';P')  (F";[^]P)  F  h  (F';P')  G  5 

- €i  - £2 

Fh  (F';P')  G<S||(F";S0ME  $.P)  Fh  (r;P')  G  5||(r^P) 

The  judgment  T  \-  9  :  ^  formalizes  that  0  is  a  valid  well-typed  substitution  w.r.t.  F. 

T\-t:A  T\-d:^ 

- €•  - 

Fhe:-  r\-eyt/x:i^,x:A) 

Let  us  now  analyze  the  rules  in  Figure  6.4.  The  empty  run-time  context  is  an  instance  of  every  schema. 
Moreover  if  F'  and  P'  are  completed  blocks  which  occur  in  5,  as  denoted  by  the  block  notation,  then 

(F,  [F']);  (P  A  [P'D  is  an  instance  of  S,  provided  that  P'  is  a  valid  clause.  Thus  we  need  to  define  the 

instance  relation  simultaneously  to  clause  (and  in  turn  to  goal)  satisfaction.  The  judgment  \=s  D  is  merely 
auxiliary  to  the  F;  P  \  G  <  <5  one:  here  we  mimic  the  construction  on  the  run-time  schema  until,  in  the  base 
case,  we  check  whether  the  resulting  context  is  an  instance  of  the  given  schema. 

The  following  Lemma  ensures  that  when  an  assumption  D  is  pulled  from  a  legal  run-time  context, 
i.e.  which  satisfies  a  given  schema,  so  does  D. 

Lemma  6.7  //F;P  <  «S  and  D  QT>,  then  \=sD. 

Proof:  By  induction  on  the  structure  of  the  derivation  of  tt  ::  F;  P  < 
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X  €  {Q,  T,  ±}  or  (dis)eq  F;  P  <  <S 


T-,V\X  <S 

r;V\Gi<S  T-,V\G2<S 

r;P\Gi  AG2  <G 
T-,V\Gi<S  r;P\G2<5 

r;P\Gi  VG2  <5 
(r,y:A);P\[y/x]G<5 
r;P\Vx:A.G  <5 
\=sD  T-,{VAD)\G  <S 
r-,V\D  ^G  <S 


\X 


\A 

\V 


^e{Q,T±} 


N5P1  \=sD2 

1=5  Di  A  D2 
1=5  Di  1=5  D2 

1=5  Di  V  D2 

NW»10 

|=5Vx:A.P 

|=5P  •;T\G<5 

\=sG^D 


Ns  A 


N5V 


N5-> 


•;T  <<S 


<1 


ri-(r';p')eG  t=5P'  (r;p)<<s 
(r,[r'i);{PArp'l)<5 


<2 


Figure  6.4;  Judgments  F;  P  \  G  <  <S,  \=sD  and  F;  P  <  «S 
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Case: 


Then  £)  =  T  and  immediately 


TT  =  -  <1 

•;T  <5 


•;Tt-5T 


H=5T 


r  f-  (r';p')  G  5  1=5^'  (r";P")  <  5 

(r,rn);(p"  A  fp'D  <5 


Subcase:  D  —  V 

NP' 

By  hypothesis 

Subcase:  D  C  V 

T":V"  <S 

By  sub’derivation 

\=sD 

By  IH 

□ 


We  can  also  show  that  schema  satisfaction  is  closed  under  substitution: 

Lemma  6.8  Let  T]V  <  S  and  F  h  ^ 

1.  If\=sD,  then  \=^[6]D. 

2.  //  F;  P  \  G  <  5,  then  F;  [<9]P  \  [0]G  <  S. 

3.  7/  F;  P  <  5  then  F;  [0]V  <  S, 

Proof:  By  a  straightforward  mutual  induction  on  the  structure  oFtt  ::  \=s  D,  7  ::  r;P\G  <  S  and 

a::r;P<5.  □ 

6.2.1  Schema  Extraction 

Roughly,  we  extract  a  context  schema  by  collecting  all  negative  occurrences  in  a  goal.  In  fact,  those  will 
be  dynamically  added  to  the  static  program  under  evaluation.  This  is  achieved  by  the  judgment  F;P 
G  S,  The  latter  is  mutually  recursive  to  the  judgment  I-4,  D  S  which  collects  schemata  for  each 
clause  in  the  given  program,  as  depicted  in  Figure  6.5.  When  an  atomic  goal  is  reached,  the  current  list 
of  parameters  and  assumptions  is  returned,  with  the  correct  existential  binding  inferred  from  the  context 
of  global  variables.  With  the  notation  we  mean  the  restriction  of  context  ^  to  the  free  variables  of  P, 
i.e.  {u:A  I  u  G  dom($),u  G  Fl^(P)}.  We  make  the  convention  to  absorb  schema  alternatives  which  are 
a- variants.  Moreover  the  empty  context  behaves  as  a  left  and  right  zero  element  for  ||,  i.e.  : 


(r;D||-;T)  =  (-;T||r;P)=r;P 


Finally  ||  is  commutative. 

Example  6.9  IfV  is  the  program  in  Example  5.2,  V  x\exp\  linear  {x)\\x:exp\~V  n^x . 

We  aim  to  show  that  if  a  schema  context  is  extracted  by  a  program,  the  latter  satisfies  the  former.  First, 
we  need  to  establish  two  weakening  lemmata  w.r.t.  schema  alternatives: 


Lemma  6.10  IfTh  F';P'  G  S  then  F  h  r;P'  G  S^\\S. 

Proof:  By  a  straightforward  induction  on  the  structure  of  tt  r;P  G  5. 


□ 
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X  e  {Q,T,±}  or  (dis)eq 
r;D  1-4.  A  ^  r;SOME  fp.D 


A 


T;  (P  A  D)  l-$  G  =%  <Si 


D 


S2 


T-,Vh^  D  ^  G  Si\\S2 


{T,y:A)-VH[vlx]G. 
r;PI-$  Vx:A.G  = 


T-V^^Gi 


r ;  P  G2 


S2 


A 


r;PI-4.Gi  AG2=^<Si||52 


r ;  P  I-4.  G 1 


5i 


r;P  |-$  G2  =i:>  52 


V 


r;P  1-4,  GiVG2=^5i  1152 


^e{Q,T,±} 


1-4,  A 


A 


•:T 


.;  T  1-4.  G  5i 


1-4.  P 


1-4.  (G^P)  ^5i||52 


H,u-.A  [u/x]P 
1-4.  Va::A.P  = 


V“ 


1-4.  Pi 


5i 


1-4.  P2  ^  52 


A 


l-$  Pi  A  P2  5i||52 


Pi 


5i 


l“$  P2 


I-4,PiVP2=^5i||52 


V 


Figure  6.5:  Extracting  contexts  schemata 
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Note  also  that  T  h  r';P'  6  S'\\S  iff  T  h  T'-,V'  G  S\\S'. 


Lemma  6.11  (Schema  Weakening)  LetT-,T>  <  S.  Then 

1.  If^sD,  then  f=s||5'L>. 

2.  IfV\V\G  <S,thenV\V\G  <S\\S'. 

3.  IfT-,V<S  thenT-,V  <S\\S'. 


Proof:  By  mutual  induction  on  the  structure  of  tt  ::  |=s£l,  7::r;P\G<iS  and  cr  ::  F;!?  <  <S.  We  show 
the  crucial  cases: 


Case: 


Trivially 


Case: 


Xe{Q,T,±} 

TT  =  -  \==s  X 

\=sX 

,  XG  {Q,T,1} 

IT  = - - - - - 

l=5||5'  Q 

_\=sD  •;T\G<5 

\=sG^D 


\=s-^ 


1=5  II 5'  D 

■■,T  \G  <S 
•;T\G<5||G' 
l=5||5'  G  D 


By  sub-derivation 
By  IH  1 
By  sub-derivation 
By  IH  2 
By  rule  |=5-4 


Case: 


X  G  {Q,T,1}  or  (dis)eq 
r;'D\A:  <S 


T-,V<S 

- \X 


F;D<G 

By  sub-derivation 

F;P  <G||5' 

By  IH  3 

T-,V\X<S\\S' 

By  rule  \X 

Case: 


t=5l>  T\VhD\G<S 

7  = - \ 

T]V\D  ^G  <S 


1=5  F* 

Ns||5'  D 

T-,V  ^D\G  <S 
F;  {VAD)\G<S\\S' 
T-,V\D  ^G  <S\\S' 


By  sub-derivation 
By  IH  1 
By  sub-derivation 
By  IH  2 
By  rule  \  -> 


Case: 

a  = - <1 

•;T  <G 

Then  immediately: 

o'  = - <1 

•;T<5||5' 
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Case: 

_r\-{T'-,V')£S  \=s'D'  (r;P)<<S 

(r,  rr'i);(pArp'l)<<s 

By  sub- derivation 
By  IH3 
By  sub-derivation 
By  Lemma  6.10 
By  sub-derivation 
By  IHl 
By  rule  <2 

□ 

We  are  now  ready  to  show  that  if  a  program  yields  a  schema,  then  every  instance  of  a  clause  used  at 
run-rime  will  comply  with  the  schema.  We  need  to  generalize  this  statement  to  take  into  account  instances 
of  goals  as  well;  in  the  latter  case,  we  need  to  synchronize  the  schema  accumulator  in  h  G  S  with 

the  possibly  incomplete  run-time  context  F;  T>.  A  fortiori  the  result  holds  for  compile-time  contexts  as  well, 
by  taking  F;  P  as  T. 

Theorem  6.12  (Extracted  Schema  Satisfaction)  Let  F  h  ^ 

L  If\-^D  S,  then  [=5  [0]D. 

2.  h^G^S,  [=sV'  and  T-,V  <  S,  then  (r,r');  iVA[e]V')  \  [e]G  <  S. 

Proof:  By  mutual  induction  on  the  structure  of  tt  ::  £>  S  and  7  ::  F';  P'  l-$  G  S. 

Case: 

A€{Q,T,1} 

TT  =  X 

1-4.  A  ^  T 

NiT  X  By  rule  [=5  X 


By  sub-derivation 
By  sub-derivation 
By  IH  1 
By  IHl 
By  Lemma  6.11 
By  Lemma  6.11 
By  rule  \=s  A 
By  subst. 

Case:  tt  ends  in  V:  analogously  to  the  above. 

Case:  tt  ends  in  V^:  by  an  immediate  appeal  to  IH  1. 


Case: 

Di  ^  Si  D2  <S2 


Di  A  D2  ^  Si\\S2 

Dl  Si 

D2  S2 

Hi  mDi 

HAm 

Ni1|52  {Q\Di 
Nsi||52  ¥\D2 

Nsi||52  [0]Di  a  [d]D2 
Nsi||52  [0]{Di  a  D2) 


T-,V<S 

r-,v<s\\s' 
ri-r';p'  eS 
rhr';P'  e5||5' 

Ns||5'  D 

(F,  [F'l);(PArP'l)<-5||5' 
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Case: 

.;  T  1-4,  G  [-^D^S2 

I-4>(G->Z))^5i||52 

^82 

N=  mD 

Ni||52 

.;  T  1-4,  G  .Si 
•;  T  <  5i 
•;  T  \  [e\G  <  5i 
•;T\[0]G<5i||52 


A'  €  {Q,  T,l}  or  (dis)eq 


r';D'  \-4.  X  ^  r';SOME  ^v-V 

T'-,[e]v'  r'-,[e]v' 

r  I-  r';  [e]v'  €  r';  some  .  v 

T-,V<  r';SOME 

Hr';(SOME 

Nr'; (SOME  4>i,,.x>') 

(r,  [r'l);(PA  r[^]2?'l)  <r';SOME  $x,-.2)' 

(r,  F);  {V  A  [e]v')  \  [e]x  <  F;  some  •  f 


Case: 

{r',y:A)',V'  h<j,  [y/x]G  S 

7  = - ^ 

r;P'  >fx:A.G^  S 

{r,y:Ay,V^H[y/x]G^S 
{T^r\y:Ay{VA[e]V')\[e]^[y/x]G<S 
(r,  r ) ;  {V  A  [9]V^)  \  [e]^x  :A.G  <s 


By  sub-derivation 
By  IH  1 
By  Lemma  6.11 
By  sub-derivation 
By  rule  <1 
By  IH2 
By  Lemma  6.11 
By  rule  |=^ 


By  hypothesis 
By  rule  Ei 
By  hypothesis 
By  hypothesis 
By  Lemma  6.8 
By  rule  <2 
By  rule  \X 


By  sub-derivation 
By  IH  2 
By  rule 


Case: 


F;(F' AF)  h4>  G=i>5i 


h4.  D 


7  = 


F;F't-4.D-^G=^<Si||,S2 


1-4,  F  52 
\=S2  [^]D 
hsil|52  [^]D 

r-,v<Si 

r';  {V  A  D)  f-4,  G  5i 
(T,  F);  (P  A  [e]V'  A  [0]P)  \  [e]G  <  5i 
(r,F);  (P  A  [ep'  A  [0]D)  \  [6]G  <  5il|52 
(r,F);  (P  A  [9]V')  \  [d]D  ^  [e]G  <  5i||52 


By  sub-derivation 
By  IH  1 
By  Lemma  6.11 
By  hypothesis 
By  sub-derivation 
By  IH  2 
By  Lemma  6.11 
By  rule  \  -> 


Case: 


F;P'  1-4.  Gi  5i 


F;P'  1-4.  G2  52 


F;P'E4.GiAG2^5i||52 
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r-,v'HGi=^Si 

By  sub-derivation 

r-,v<Si 

By  hypothesis 

(r,r');pA[0p')\[^]G'i  <5i 

By  IH2 

(r,r');(2?A[0]P')\[^]G'i  <<5i||52 

By  Lemma  6.11 

r-,v'  \-^  G2  ^  S2 

By  sub-derivation 

r-,v<S2 

By  hypothesis 

{r,r'y,i'D/\[e]v')\[6]G2<S2 

By  IH  2 

{T,r'y,{v  A[e]v')\[0]G2  <  Si\\S2 

By  Lemma  6.11 

(r,  r');  {V  A  [^]p')  \  [0]Gi  A  [e]G2  <  s,  11^2 

By  rule  \A 

Case:  7  ends  in 


V:  similarly  to  the  above,  to  IH  2. 


□ 


6.2.2  Context  Preservation 

We  aim  to  prove  that  execution  preserves  contexts,  provided  that  the  program  itself  and  the  input  goal 
satisfy  a  schema;  that  is,  that  every  subgoal  which  arises  in  any  given  successful  or  failed  (immediate  and 
non-immediate  sub-derivation)  satisfies  the  same  context  schema. 

Note  that  we  have  already  established  schema  extraction  (Theorem  6.12),  that  is  we  assume  that  V  =>  S. 
We  write  tt'  <  tt  to  say  that  tt'  is  a  strict  subproof  of  tt,  i.e.  tt'  <  tt  if  tt'  <  tt  or  tt'  =  tt. 

Theorem  6.13  (Context  Preservation  w.r.t.  Provability)  Let\=sV  and  D  C  (VAV).  For  anyT;V  < 
S,  if  (tt  ::  F;!)  hp  G  and  r;'D\G  <  S)  or  (l  ::  r\V  \-'p  D^Q  and  \=sD),  then: 

1.  for  every  subproof  7:'  ::  T^;V'  hp  G'  and  T';V'  \G'  <  S, 

2.  for  every  subproof  d  ::  bp  D'»Q  and  \=sF>'. 

Proof:  By  mutual  induction  on  the  structure  of  tt  ::  F;  P  hp  G  and  i  ::  F;  P  hp  P»Q. 

Case:  tt  =  F;  P  hp  T:  trivial. 

Case: 

TTi 

F;PAPhpG 
F;PhpP->G 

Subcase:  tt'  =  tt:  trivial. 

Subcase:  tt'  <  tt:  then  tt'  <  tti- 

TTi  ::  F;  P  A  P  hp  G 
F;P\P-^G<<S 
F;PAP\G<<S 

d  ::  F';P'  hp  P'»Q  and  1=5^'  and 
tt'  ::  r ;  (P'  A  D')  hp  G'  and  F';  (P'  A  P')  \  G'  <  5 
tt'  ::  F';P'  hp  P'  ^  G'  and  F';P'  \P'  G'  <  5 


h-^ 


Case: 


TTi 

(F,2/:A);Php[2//x]G 

TT -  h 


By  sub-derivation 
By  hypothesis 
By  inversion 

By  IH 
By  rule 


Subcase:  tt'  =  tt:  trivial. 
Subcase:  ir'  <  tt:  then  tt'  <  tti. 


F;Php  VxiA.G 
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TTi  ::  (r,2/:A);Php[y/a:]G 

r;D\Vx;A.G<<S 

{T,y.A)-V\[ylx]G  <S 

i'  ::  r';X>'  hp  D'»Q  and  \=sD'  and 

Tri  ::  (r',i/:A);P'  hp  [y/x]G'  and  (r',j/:A);P'  \  [2//x]G'  <  N 

7r'  ::  T'; V’  hp  Va: : A. G'  and  T';  V \'ix-.A.G'  <  S 

Case:  tt  ends  in  hA,  hVi,  I-V2:  similarly. 

Case: 

i 

T;V\-p  Dy>Q 

TT  = -  h  At 

r ;  P  1-p  Q 

Subcase:  tc'  —  tt:  trivial. 

Subcase:  tt'  <  m  then  tt'  <  i. 

Subcase:  ti  ::  T;  P  hp  D^Q,  for  P  C  P 

tt'  r'; P'  hp  G'  and  T'; P'  \  G'  <  5  and 
t'l  ::  r'iP'  hp  P'»(5  and  |=5P' 
r'; P'  hp  Q'  and  T'; V  \Q'  <  S 
Subcase:  ti  ::  F;  P  hp  D:^Q,  for  P  C  P 

tt'  ::  F'; P'  hp  G'  and  F'; V'\G'  <S  and 
i'l  F';P'  hp  D'»Q  and  |=5P' 

F'lP'hpQ'and  F';P'\Q'<N 

Case:  t ::  F;P  hp  ±>>>Q:  trivial. 


F;P  hp  Di»Q 

L  = - »Ai 

F ;  P  hp  Pi  A  P2  5?>G 

Subcase:  i'  =  i:  trivial. 

Subcase:  l'  <  i:  then  t'  <  ti: 

\=S  Pi  A  P2 

[=5  Pi  and  1=5  P2 

i-i  ::  F;  P  hp  Pi  >5>Q 

tt'  ::  F';  P'  hp  G'  and  F';  V'\G'  <S  and 

4  ::  F';P'  hp  D[»Q  and  l=5Pi 

l'  ::  F';  P'  hp  D[  A  Pi»g  and  ^=5  D[  A  P^ 

Case:  t  ends  in  ^A2.  Symmetrical. 


Case: 


(■1 

F;Php  [t/x]D^Q 

i  = - »V 

F;P  hp  Va;:  A.  D'^Q 


By  sub-derivation 
By  hypothesis 
By  inversion 

By  IH 
By  rule 


By  sub-derivation 
By  hypothesis 

By  IH 
By  rule 
By  sub-derivation 
By  Lemma  6.7 

By  IH 
By  rule 


By  hypothesis 
By  inversion 
By  sub-derivation 

By  IH 
By  rule 


Subcase:  c'  =  t:  trivial. 
Subcase:  d  <  t:  then  <  ii. 
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ii  ::  r;D  h-p  [f/a:]D»Q 
^s^x:A.D 
1=5  [ulx]D 
\=s[tlu,ulx]D 

V  ::  hp  G'  and  F;!)'  \  G'  <  5  and 

l[  ::  r;D'  hp  [tlx]D^»Q  and  ^s[tlx]D^ 
t'  ::  r;P'  hp  Vx:A.Z?'»Q  and  ^5Vx:A.i)' 


r;PhpT)»Q  r;PhpG 

r;phpG-^i?»g 

Subcase;  =  t:  trivial. 

Subcase:  t'  <  l: 

Subcase:  d  <  ii 

ii  ::  F;  P  hp  D^Q  and  tti  ::  F;  P  hp  G 
\=sG-^D 

T]V\G  <  S  and  \=s D 

tt'  ::  F';  V'  hp  G'  and  F';  P'  \  G'  <  5  and 

4  ::  r;P'  hp  D'»Q  and  hsP' 

::  r;P'  hp  G'  D‘»Q  and  ^=5^'  -> 

Subcase:  <  tti:  analogously. 

Case:  i  ends  in  »V,  »V:  similarly. 


By  sub-derivation 
By  hypothesis 
By  inversion 
By  substitution 

By  IH 
By  rule 


By  sub-derivation 
By  hypothesis 
By  inversion 

By  IH 
By  rule 


□ 


We  establish  an  analogous  result  w.r.t.  denial. 

Theorem  6.14  (Context  Preservation  w.r.t.  Denial)  Let  \=s'P  P  C  (P  A  V):  for  any  F;P  <  5, 
if  (  n  ::  T;!)  \/'p  G  and  F;P\G<<S  )  or  (  t  ::  F^V  \/'p  Dy>Q  and  \=sD),  then: 

1.  for  every  subproof  ::  F';P'  l/p  G'  and  F';  P'  \  G'  <  S. 

2.  for  every  subproof  t'  ::  F';P'  I/p  P'»g  and  [=sD'. 

Proof:  By  mutual  induction  on  the  structure  of  tt  ::  F;P  l/p  G  and  t ::  F;P  1/^  similarly  to  the  case 

of  provability.  We  show  only  some  cases: 

Case; 

TTl 

F;  (P  A  P)  i/p  G 

TT  =  -  1/  -> 

F;P/pP^G 

Subcase:  tt'  =  tt:  trivial. 

Subcase:  tt'  <  tt:  then  tt'  <  tti: 

By  sub-derivation 
By  hypothesis 
By  inversion 


F;  (P  A  P)  I/p  G 

F;P\P->G<5 

F;PAP\G<<S 

l'  ::  r;P'  I/p  D'»Q  and  |=5P'  and 

tt'  ::  F;  (P'  A  P')  1/p  G'  and  F;  (P'  A  P')  \  G'  <  5 

tt"  ::  r;P'  I/p  (P'  G')  and  r;P'  \  (P'  G')  <  5 


By  IH 
By  rule 


6.3.  TERMINATING  PROGRAMS 


101 


Case: 

h 

T-,VVv  G 

i  = - 

r-,VVvD^G»Q 

Subcase:  l'  —  t:  trivial. 

Subcase:  t'  <  t:  then  t'  <  ti: 

M  ::  P;  P  I/p  G 
\=sG^D 

T\'D\G  <  S  and  [=5 D 
Tx'  ::  r';  P'  I/p  G'  and  P';  P'  \  G'  <  5  and 
/  ::  P';P'  I/p  P'»G  and  t=5P' 
i"  ::  r;P'  (!?'  <-  G')»G  and  K<;(P'  ^  G') 

Case: 

'1 

PiPb'p  P»(? 

(  = - >2 

P;Pb'p  P^G»g 

Subcase:  i'  —  l:  trivial. 

Subcase:  l'  <  r.  then  l'  <  i\: 

tx  Pj  P  Itp 
\=sG-^D 

P;P\G<5and  1=5P 
tt'  ::  P';P'  I/p  G'  and  P';P'  \G'  <S  and 
i'  ::  P';P'  I/p  P'»Q  and  1=5  P' 
i"  P';P'  \/v  (^'  •«-  G')»g  and  \=s  (P'  G') 

Case: 

ri 

for  all  n  P;P  I/p  [n/a:]P»g 

i  = - »V 

P;P/p  Vx:A.P»g 

Subcase:  i'  =  t:  trivial. 

Subcase:  i'  <  l:  then  J  <  ti. 

t=5Vx:  A.  P 
1=5[u/x]D 

For  all  ii  ::  F;©  \/'p  [n/x]D»(5 
For  all  1=5  [n/u,  w/x]F) 
tt'  ::  F';  P'  1/^  G'  and  F';  V'\G'  <S  and 
For  all  i[  ::  F';P'  \/p  [n/x]P'»(5  and  |=5[n/x]P' 

::  F';P'  \/^  and  ^5Vx:A.P' 

□ 


6.3  Terminating  Programs 

We  now  introduce  terminating  programs.  The  notion  of  termination  that  we  adopt  is  the  very  strong 
universal  one,  as  it  is  known  in  logic  programming  [SD94].  This  is  abstractly  achieved  by  means  of  a  relation 
between  goals  or  between  goals  and  clause  heads,  ncimely  with  the  intended  meaning  of  “Gi  [G]  can 
arise  as  a  subgoal  of  G2  [P]”.  Intuitively,  a  program  terminates  if  it  yields  an  ordering  relation  which  admits 


By  hypothesis 
By  inversion 
By  sub-derivation 
By  substitution 

By  IH 
By  rule 


By  sub-derivation 
By  hypothesis 
By  inversion 

By  IH 
By  rule 


By  sub-derivation 
By  hypothesis 
By  inversion 

By  IH 
By  rule 
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no  infinite  descending  chains.  This  is  defined  in  Figure  6.6.  We  do  not  commit  here  to  actual  ways  to  verify 
the  latter  property.  This  issue  is  explored,  in  the  higher-order  setting,  for  example  in  [RP96].  More  formally: 

Ordering  R  ^  \  R^G  <  D  \  R,Gi  ^  G2 

Let  V  R  and  take  the  stable  (that  is,  closed  under  substitutions)  and  transitive  closure  of  iZ,  call  it 
[R].  We  say  that  V  is  terminating,  denoted  V  i,  whenever  [R]  is  well-founded. 

Example  6,15  If  even  defines  the  even  number,  even  even{X)  even{s{s{X))) ,  Furthermore  the 
closure  of  this  relation  is  well-founded  as  it  can  be  proven  say  by  induction  on  X.  Consider  instead  the 
following: 

\fE:exp.\/M:nat. 
p  {lam  E)  M 

{Wx:exp.  {'iN’.nat.p  x  {s  N)  ^  p  x  {s  N))  p  {E  x)  M). 

The  clause  is  not  terminating  as  the  subgoal  relation  contains  the  pair  [y/x]{p  x  s{N)  -<  p  x  s{N)),  which 
yields  an  infinite  descending  chain  {p  y  {s  0))  ^  {p  y  (s  0))  ^ _ 

Finally  ,  we  define  when  a  schema  is  terminating: 

ri-p;  Si 

—  oi  - ^ ^ 

oi  5||r;S0ME$,P| 

Since  $  ranges  over  FV {V)  \  F,  we  verify  the  termination  of  V  in  the  F  context. 

Lemma  6.16 

1.  IfT\-V  ^  R,  D  CV  andr\-  D  R',  then  R!  C  R. 

2.  IfT\-G^R,G'<GandV\-G'^  R' ,  then  R'  C  R. 

Proof:  By  a  straightforward  mutual  induction  on  the  structure  ofT  h  D  R'  and  F  h  G'  R',  □ 

Corollary  6.17  IfThDl  and  D  QV,  then  T  \-  D  i. 

Proof:  By  definition,  T  V  I  if  F  \-  V  R  and  [R]  is  well-founded;  by  Lemma  6.16  F  h  D  iZ',  and 
iZ'  C  R.  Thus  [iZ']  is  well-founded,  and  D  i.  □ 

Lemma  6.18  Let  5  4..  //F;I>  <  5  and  D  QV,  then  D  i. 

Proof:  By  induction  on  the  structure  of  5  i,  using  Corollary  6.17.  □ 

We  can  now  prove  that  if  a  program  is  terminating,  a  non-proof  of  any  ground  G  is  a  denial  of  G;  we  are 
going  to  reason  classically  that  either  there  is  a  proof  of  G,  or  there  is  not  such  a  proof.  We  recall  that 
is  the  denial  relation  introduced  in  Figure  6.1  and  6.2. 

Theorem  6.19  (Termination)  LetV  i  andS  i  be  a  schema  such  that  \=sV  andT;V  <  S:  for  any  ground 
G,  if  not  F;  V  hp  G,  then  F;  V\/'p  G. 

Proof:  We  generalize  this  to: 

1.  If  not  F;  T>  hp  G,  then  F;I>  I/p  G. 

2.  For  every  D  QV  f\V,\f  not  F;  P  hp  Dy>Q,  then  F;  P  I/p  Dy>Q. 

We  proceed  by  mutual  induction  on  the  goal  ordering  induced  by  V  terminating  and  on  the  structure  of  D: 
we  start  with  2.  Since  D  is  an  instance  of  a  terminating  clause  either  from  the  program  or  the  run-time 
context,  by  stability  and  Corollary  6.18,  it  is  terminating  as  well. 
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X  e  {(5,  T,±}  or  (dis)eq 

- ; - 

PhX^  • 

ri-G=^Ri  rhi>=^R2 


r\-  D  G  RuR2,G  <d-^g 


T,y.AhG^R 

-  \jV 

r  h  Vx :  A.  G  R,  [j//x]G  X  Vx :  A.  G 
r  h  Gi  Ri  r  h  G2  R2 

r  P  G\  A  G2  R\ ,  R2> Gi  -<  Gi  A  G2, G2  Gi  A  G2 

r  p  Gi  Ri  r  p  G2  R2 

r  P  Gi  V  G2  R\,R2,Gi  -<  Gi  V  G2,G2  -<  Gi  V  G2, 


X€{Q,T,±} 

- 

PPX  • 


rp£)=^fii  rpG=^R2 

_ _ 1  D 

r  P  (G  D)  RuR2,G  <  D 

r  p  [w/x]r>  R 

- ^  V“ 

TP  Vx:A.D  R 

r  P  T>i  Ri  r  P  £>2  Ra 
PPA  Ar>2=^Ri,R2  ~ 

r  P  z>i  Ri  r  p  R2  ^  Ra 

rPR>i  VD2  =^Ri,R2 


Figure  6.6:  Generation  of  the  subgoal  relation 
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Case:  D  —  L:  trivial. 


Case:  £>  =  T. 


- »T 

r;PI/pT»(5 


Case:  D  =  D\  •(—  Gi.  Either  P;!?  \--p  Gi  or  not  T\V  \-p  Gi  and  r;I>  \-p  Di^Q  or  not  r;P  \-p  Z?i»Q.  By 
termination  of  Di  -f-  Gi,  Gi  -<  Di,  hence  we  can  apply  the  IH  to  Gi:  There  are  four  sub-cases: 


1.  r;PI-pGi  Subcase 

T;  T>  \-p  Di  »Q  Subcase 

T;  P  1-75  Di  e-  Gi  »G  By  rule  »  -> 

2.  Not  T;  P  hp  Gi  Subcase 

r;PI/pGi  BylHl 

T;  P  hp  Pi  »Q  Subcase 

T;  P  1/7,  Pi  ■!-  Gi  »G  By  rule  »  ->-2 

3.  F;  P  hp  Gi  Subcase 

Notr;PhpPi»G  Subcase 

T-,V\/-pDi»Q  ByIH2 

F;  P  ^p  Pi  Gi  »G  By  rule  »  -J-i 

4.  Not  F;P  hp  Gi  Subcase 

Not  F;  P  hp  Pi  »Q  Subcase 

r;PI/pPi»(5  ByIH2 

F;  P  I/p  Pi  <-  Gi  »QBy  rule  By  rule  »  ->i 


Case:  P  =  Pi  V  P2. 

1.  F;  P  hp  Pi55>G 
F;  P  hp  P2»Q 

F;  P  hp  Pi  V  D^'^Q 

2.  F;Php  Pi»Q 
Not  F;P  hp  P2»(5 
F;Pt/p  P2»Q 
FjP  Itp  Pi  V  P25?>G 

3.  F;Php  P2»Q 
Not  F;PI/p  Pi»Q 
F;P/pPi»Q 
F;P  I/p  Pi  VP2»<5 

4.  Not  F;Php  Pi»(3 
Not  F;P  hp  P2»<3 
F;P  I/p  Pi»Q 
F;PI/p  P2»Q 
F;P  ^  Pi  V  D2^^>Q 

Case:  D  =  Di  A  P2. 


1.  F;PhpPi»Q  Subcase 

F;  P  hp  P2»G  Subcase 

F;  P  hp  Pi  A  P2»Q  By  rule  »A 

2.  F;P  hp  Pi»G  Subcase 

Not  F;  P  hp  P2»Q  Subcase 

F;PI/pP2»Q  ByIH2 

F;  P  hp  Pi  A  P2  »G  By  rule 


Subcase 
Subcase 
By  rule  >6>V 

Subcase 
Subcase 
By  IH  2 
By  rule 

Subcase 
Subcase 
ByIH2 
By  rule 

Subcase 
Subcase 
By  IH  2 
ByIH2 
By  rule 
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Case: 


Case: 

Case: 

Case: 


Case: 


3.  T]T)  \~'p  D2^Q 

Subcase 

Not  P; X)  h-p  Di'^Q 

Subcase 

Di»Q 

By  IH2 

r;D  hp  Di  AD2»Q 

By  rule 

4.  Not  T\T)  hp  Di'^Q 

Subcase 

r;P  t/p  Di»Q 

By  IH2 

Not  P;  P  hp  D2^Q 

Subcase 

P ;  7)  \/p  D2 

By  IH2 

P;D  1/p  Di  AD2»Q 

By  rule 

D  =  \/x  :  A.D' .  For  some  ground  P  h  i  :  A,  P;P  hp  [i/x]D'»(5 
[^/a;]D'»(5: 

or  for  all  ground  t,  not  P;X>  Fp 

1.  P;Php  [tlx\D^»Q 

Subcase 

P;Php  Vx:A.D'»0 

By  rule  »V 

2.  For  all  t  ground  not  P;D  Fp  [tlx]D*y>Q 

Subcase 

For  all  t  ground  P;P  I/p  [t/x]Z)'»(5 

By  IH2 

P;P/p  Vx:A.£>'»(3 

By  rule 

G  =  T:  trivially  true. 

G-  1: 

-  V-L 

r-,vVv^ 

G  =  Q:  either  TjVhp  D^Q  or  for  every  D  not  r;P  hp  D^Q: 

1.  F;  D  hp  D'^Q 

Subcase 

r;Php  Q 

By  rule 

2,  Not  r;D  hp  D::i>Q  for  every  D 

Subcase 

T-,V\/t,  D»Q 

By  IH  2 

T;VVvQ 

By  rule 

G  =  G\  A  G2  • 

1.  r;PI-p  Gi 

Subcase 

r;PhpG2 

Subcase 

FiPhpGi  AG2 

By  rule 

2.  r;Dl-p  Gi 

Subcase 

Not  r;2?hp  G2 

Subcase 

r;2?^pG2 

By  IH  1 

r;PI/p  Gi  AG2 

By  rule 

3.  r;PhpG2 

Subcase 

Not  r;Dhp  Gi 

Subcase 

T-,V\/-pG^ 

By  IH  1 

T■,V\fJ>Gl^G2 

By  rule 

4.  Not  r;F)l-p  Gi 

Subcase 

By  IH  1 

Not  r;X>f-p  G2 

Subcase 

r;I?b'pG2 

By  IH  1 

FiPb'pGi  AG2 

By  rule 

Case:  G  =  VG2: 
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1.  T;V  l-p  Gi  Subcase 

P;  P  hp  G2  Subcase 

P;  P  hp  Gi  V  G'2  By  rule 

2.  P;  P  hp  Gi  Subcase 

Not  P;  P  bp  G2  Subcase 

P;Pb'pG2  BylHl 

P;  P  hp  G2  V  Gi  By  rule 

3.  P;PI-pG2  Subcase 

Not  P;  P  bp  Gi  Subcase 

T;VVvGi  BylHl 

P;  P  bp  G2  V  Gi  By  rule 

4.  Not  P;  P  bp  Gi  Subcase 

P;PI/pGi  BylHl 

Not  P;P  bp  G2  Subcase 

T-,V\/vG2  BylHl 

P;  P  I/p  Gi  V  G2  By  rule 

Case:  G  =  'ix-.A.G':  for  a  new  parameter  y,  (P,2/:A);P  bp  [ylx]G'  or  not  (P,t/:A);P  bp  [j//a:]G': 

1.  (P,  2/:A);P  bp  [j//a:]G'  Subcase 

P;PbpVx:A.G'  By  rule 

2.  Not  (P,j/:A);Pbp  [ylx]G'  Subcase 

(P,2/:A);Pbp[j//a:]G'  BylHl 

P;Pt/p  Vx:A.G'  By  rule 

Case:  G  ==  D'  G': 

1.  P;  (P  A  D')  bp  G'  Subcase 

P;  P  bp  D'  ^G'  By  rule 

2.  Not  P;  (P  A  D')  bp  G'  Subcase 

P;  (P  A  P')  I/p  G'  By  IH  1 

P;P/pP'->G'  By  rule 


Case:  The  (dis)equality  case  follows  immediately  from  the  decidability  of  the  =,  ^  rules. 


□ 


6.4  Complementable  Clauses 

We  restrict  ourselves  to  programs  with: 

•  Complementable  clauses  as  defined  in  Figure  6.7. 

•  Rules  of  the  form  V((5  ^  G),  such  that  every  (input)  term  in  Q  is  rigid. 

•  Parameters  of  base  type  and  occurring  only  in  head  position,  called  Shallow  Parameter  Expressions: 

SPE  ex  ::=  x  :  a  \  Xx.  Cx 

We  do  not  formalize  here  the  former  assumptions  on  terms;  note  that  the  rigidity  restriction  applies  only 
to  predicates  mutually  recursive  to  non-Horn  ones  -  see  the  comment  at  the  end  of  the  proof  of  Theorem  6.32. 
We  do  give  a  definition  of  complementable  clause  in  Figure  6.7. 
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X  G  {T,  ±}  or  (dis)eq 

- eg  X 

T]T>\-  X  compl 

• - — - - -  epAt 

F;  T  h  Q  compl 

for  all  D  □  :  dom(r)  DparlD)  ^  0 

- cgAtn 

r;V  \-  Q  compl 

T]  {V  A  D)  \-  G  compl  F;  D  h  D  compl 

- eg 

T]V  D  G  compl 

(F,2/:a);7^  h  [y/x]G  compl 

- - - - ~cg\/y 

F;  P  h  Vx :  a.  G  compl 

F;  P  h  Gi  compl  F;  P  H  G2  compl 

- eg  A 

F;  P  1-  Gi  A  G2  compl 

F;  P  h  Gi  compl  F;  P  h  G2  compl 

- cgV 

F;P  h  Gi  V  G2  compl 


Ae{T,±} 


-cdX 


F;  P  h  A  compl 
F;  P  h  P  compl  F ;  P  h  G  compl 


F;  P  h  P  ^  G  compl 
F;P  h  [u/x]D  compl 


cd 


c(N^ 


F;  P  h  Vx :  A.  P  compl 
F;  P  h  Pi  compl  F;  P  h  P2  compl 
F;P  h  Pi  A  P2  compl 
F;  P  h  Pi  compl  F;  P  h  P2  compl 
F;  P  H  Pi  V  P2  compl 


•  cdA 


-  edV 


Figure  6.7:  Complementable  clause  and  goal:  F;P  h  P  compl  and  F;P  h  G  compl 
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Example  6.20  The  clause  encoding  the  introduction  rule  for  implication  in  natural  deduction  from  Example 
5.1  is  not  complementahle: 

impi  :  nd{A  imp  B)  <-  {nd{A)  -4  nd{B)). 

On  the  other  hand,  the  following  is  allowed  by  rule  eg  At: 

oplam^  :  \/ E:  exp exp.  open  {lam  E) 

i-  {^x : exp.  T open  open  {E  x)). 

The  restriction  on  goals  and  clauses  yields  this  revised  grammar: 

Clauses  D  T  |  T  |  V((5  ^  G)  |  jDi  A  1)2  1  V  D2 
Goals  G  Q|T|JL|M=:iV|M^iV| 

G\  A  G2  I  G\  V  G2  \  D  G  \  Vx :  a.  G 


We  use  V(Q  ^  G)  as  a  normal  form  for  ‘rules’,  where  the  quantifier  bounds  every  free  variable  in  Q  G. 
This  has  the  technical  advantage  to  provide  a  handle  for  both  the  head  of  a  clause  and  the  set  of  all  its  free 
variables  at  the  same  time,  which  will  be  crucial  to  describe  the  complement  algorithm.  In  particular,  ‘facts’ 
are  represented  by  V((3)  ^  T,  although  in  examples  we  will  omit  to  mention  the  body.  We  accordingly 
specialize  the  immediate  implication  and  denial  rules  as  follows: 


r\- a:  FV{N)  \  dom(r)  T;  V  \-v  [(t]N  =  M 
r;V\-ry{qN^G)»qM 


T;V\-v  [a]G 


for  all  0  r  h  0  :  FV{N)  \  dom(r)  T;  V  \f^  [e]N  =  M 

- ^ ^ 

r;2)(/pV(giVf-G)»9M 

r  h  cr :  FV{N)  \  dom(r)  T; V  \f^  [a]N  ^  M  T]V\/v  W]G 

r‘,V\/v^{Q^^G)»qM 


We  remark  that  the  ‘guards’  in  the  immediate  denial  rules  are  constructed  so  as  to  make  the  positive 
and  negative  judgment  mutually  independent.  Thus  /i>>  says  that  a  clause  V(g  TV  4-  G)  denies  a  goal 
q  M  for  all  well-typed  substitutions  0  [0]iV  and  M  clashes.  Rule  /»  -^2  instead  attributes  denial  with 
the  same  conclusion  due  to  ‘failure’  in  the  body. 

Clause  complementation  is  taken  definition-wise.  We  cluster  a  program  in  a  conjunction  of  possibly 
mutually  recursive  predicate  definitions.  We  accomplish  this  with  the  following: 

Definition  6.21  (F  h  def  {q,D)) 


T\-def{q,T) 
r  h  def{q,  J.) 
ThdefiqMQ^G)) 
ThdefiqMQ^G)) 
r  I-  def{q,Di  A  D2) 
T\-def{q,Di\/D2) 


v(g  ^  G) 

r\-  def{q,Di)  AT  def{q,D2) 
T\-  def{q,Di)\/T\-  def{q,D2) 


if  Q  =  q  M 
otherwise 


If  D  =  V,  i.e.  the  underlying  program  (seen  as  a  conjunction  of  clauses),  we  call  •  h  def{q,V)  the  static 
definition  of  q  and  if  F;©  is  a  conjunction  of  a  run-time  context,  we  call  the  latter  the  dynamic  definition  of 
q.  We  avoid  mentioning  the  parameter  context  when  it  can  be  inferred  from  the  context.  As  a  special  case, 
an  undefined  predicate  q,  i.e.  a  predicate  which  occurs  in  a  body  of  a  clause  but  not  as  a  head  is  represented 
by  the  empty  conjunction  T^,  Conversely  ±q  denotes  the  universal  definition  for  q.  We  agree  to  consider  Tq 
(J_g  resp.  )  as  the  zero  (one)  element  for  conjunction  and  disjunction  and  implicitly  apply  the  appropriate 
absorption  operations;  for  example: 
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We  overload  the  notation  D  HD  in  the  case  Z)  C  P  h  def(g,  V  A  V)  to  indicate  the  relation  that  satisfies  the 
following  rules: 

DiQV  D2^V  DiQV  L>2  C  D 

DQD  D1AD2QV  DiV  D2QV 

The  immediate  implication  and  denial  judgments  is  specialized  as  obvious: 

T;T>  \--p  D::i>Q  Clause  D  from  F  h  def(5,  V  A  V)  immediately  entails  atom  Q. 

T\V  \f-p  Dy>Q  Clause  D  from  F  h  def(g', P  A  V)  immediately  denies  atom  Q. 

In  particular,  the  ‘At’  rules  are: 

D  C  def((?,  -PAD)  [FI ;  [P]  D»Q 

-  f-  At 

F;Pl-pQ 

D  C  def((?,  PAP)  [F] ;  [P]  1/^  D»Q 

-  I/At 

r;P/p  Q 

Accordingly,  we  also  specialized  the  rule  for  schema  satisfaction:  we  use  p  to  denote  a  global  substitution, 
e.g.  such  that  dom(p)  is  a  set  of  new  global  parameters. 

■;T\MG<5 

- 

\=s^{Q  ^  G)y>q  M 

It  is  clear  that  all  the  above  rules  are  derived  rules  of  inference,  as  can  be  proven  by  a  straightforward 
induction  on  the  number  of  free  variables  in  N . 

6.4.1  Normalization  of  Input  Variables 

We  present  in  Figure  6.8  the  rules  for  normalization  of  input  variables.  Since  we  are  currently  working  with 
the  restriction  to  ground  goals,  those  are  all  the  variables  which  are  universally  quantified  in  the  head  of 
a  clause.  When  they  occur  positively  in  dynamic  assumptions,  they  will  carry  some  instantiation.  It  helps 
to  simplify  the  presentation  of  the  clause  complementation  algorithm  if  we  forbid  this  kind  of  occurrence. 
The  idea  it  to  replace  every  positive  occurrence  of  an  input  variable  in  an  assumption  with  a  new  (local) 
universal  variable,  which  is  then  constrained  to  be  equal  to  the  input  ones. 

Example  6.22  Consider  the  typing  clause  for  lambda  terms: 

of  lam  :  VE :  exp  -)>  exp.  VTi ,  T2 :  tp. 

of  {lam  E)  {arrow  Ti  T2) 

^  {Wxiexp.of  X  Ti  of  {E  x)  T2). 

As  Ti  is  an  input  term  occurring  positively  in  the  assumption  ^of  x  Ti  \  normalization  of  input  variables 
inserts  a  new  variable  T  and  constrains  it  to  be  equal  to  Ti : 

of  lam'  :  VE :  exp  exp.  VTi ,  T2  :  tp. 

of  {lam  E)  (orroit;  Ti  T2) 

{WTUp.of  X  r^T  =  Ti)  -4 
of  {E  x)  T2). 


This  procedure  is  realized  by  the  judgments: 
•  D  ^  D':  clause  normalization. 
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•  r  l-$  G  A  goal  normalization. 

•  $;r  h  D  D'\  assumption  normalization  w.r.t.  global  parameters  in  $. 

•  A;^;r  h  M  M\E:  term  M  normalizes  to  term  M'  returning  a  conjunction  of  equations  E 
w.r.t.  bound  (P),  global  (<^)  and  existential  (A)  variables. 

The  first  three  judgments  simply  recur  on  the  structure  of  clauses,  goal  and  assumptions,  keeping  track 
of  bound,  global  and  existential  variables  in  assumptions,  until  we  normalize  an  assumption  V(Q  ^  G):  here 
we  descend  in  every  term  by  introducing  new  local  existential  variable  and  binding  them  to  the  global  one 
via  an  equation  E.  For  the  sake  of  conciseness,  we  do  this  for  the  simply-typed  fragment;  the  generalization 
to  the  strict  one  is  immediate.  In  rule  we  introduce  in  the  global  context  all  the  global  parameters  in 
the  domain  of  p  with  the  appropriate  typing. 

It  is  clear,  although  very  tedious,  to  verify  that  this  transformation  preserves  provability  and  denial: 

Lemma  6.23  Assume  A;^;r  h  M  i-4  M\E;  for  every  ground  N,  every  T;V,  FjP  h  M  =  N  iffT;V\- 
(M'  =  AT)  AE. 

Proof:  By  a  straightforward  induction  on  the  structure  of  A;  F  h  M  M',  E.  □ 

Theorem  6.24  Let  T  h  (9  :  F  h  2?  h-  P',  D  4  D'  anrf  T  I-4,  G  4  G': 

1.  T;  [e]v  h  [0]p»g  iffV]  [e]v  h  [e]D'y>Q. 

2.  T;  [9]V  f-  [6I]G  iff  T;  [e]V'  h  [e]G'. 

Proof:  By  a  straightforward  mutual  induction  on  the  structure  of  the  given  derivations,  using  Lemma  6.23. 

□ 

6.5  The  Clause  Complement  Algorithm 

We  now  introduce  in  Figure  6.9  and  Figure  6.10  the  rules  for  static  and  dynamic  clause  complementation. 
Consider  a  rule  V(g  M  ^  G);  its  complement  must  contain  a  ‘factuaP  part  motivating  failure  due  to  clash 
with  the  head;  the  remainder  NotG(G)  expresses  failure  in  the  body,  if  any.  Clause  complementation  must 
discriminate  whether  this  rule  belongs  to  the  static  or  dynamic  definition  of  a  predicate.  In  the  first  case  all 
the  relevant  information  is  already  present  in  the  head  of  the  clause  and  we  can,  without  further  ado,  use  the 
term  complementation  algorithm  described  in  Chapter  4.  This  is  accomplished  by  the  rule  Noto  where  a 
set  of  negative  facts  is  built  via  term  complementation  Not(M)  applied  in  the  empty  context  to  the  (vector 
of)  terms  in  the  clause  head;  namely  AiV€  i-Not(M)  moreover  the  negative  counterpart  of  the 

source  clause  is  obtained  via  complementation  of  the  body.  The  Partition  Lemma  (Corollary  4.21)  guarantees 
the  soundness  and  completeness  of  this  case. 

Assumption  complementation  is  realized  by  the  judgment  F  h  Nota{D),  which  can  be  seen  as  a  type 
directed  parameter-conscious  version  of  clause  complementation.  In  a  first  approximation,  we  can  think  of 
complementation  of  assumptions,  which  are  by  definition  parametric  in  some  x,  as  static  clause  complemen¬ 
tation  w.r.t.  X.  Informally,  for  an  atomic  assumption,  say  q  M\...  Mi-i  Cx  Mj+i . . .  Mn,  its  complement  can 
be  taken  as  NotD(^e*  Afi . . .  M^+i . . .  Mn),  for  a  shallow  parameter  expression  Cx-  This  is  accomplished 
in  two  main  phases:  first,  is  propagated  in  every  position  1  <  j  <  n  holding  a  rigid  term  of  compatible 
type,  but  different  from  itself.  This  alone  builds  an  element  in  the  complement  set.  Secondly,  the  idea  is 
to  can  apply  term  complementation  ‘around’  In  particular,  if  Mj  is  a  variable,  by  normalization  of  input 
variables,  it  must  be  a  local  one  and  term  complement  does  not  contribute  anything  as  expected.  If  Mj  is 
a  parameter  expression  or  a  compound  term,  we  simply  take  the  term  complement  of  the  former  term,  with 
the  notable  difference  of  passing  the  current  parameter  context  to  term  complement. 


6.5.  THE  CLAUSE  COMPLEMENT  ALGORITHM 


111 


Di  4  Di  Da  4  D'2 
Di  A  Da  4  D;  A  D^ 


Di  4  D;  Da  4  D'o 

- ^ — - 4  V 

Di  V  Da  4  D'l  V  D'2 


X  6  {T,  ±}  •  ^dom(p)  MG  ^  MG' 

- ^ - 4  ^ - 4^p 

X  Ax  v((5  ^  G)  4  V(Q  ^  G') 


X  €  {T,±,(3}  or  (dis)eq 


4a 


r  h^.  X  4  a: 

#;ri-  D  D' 


{r,y:A);V\-^  [y/x]G  A  [y/x]G' 
T<r^'ix:a.G  A'ix-.a.C 
r;DADI-4.G4G' 


4  V!' 


r  1-4,  (D  ^  G)  4  (D'  ->  G') 


'  4-)- 


r  1-4,  Gi  4  G'l 


r  l-4>  Ga  4  G'2 


r  t-4,  Gi  A  Ga  4  G'l  A  G^ 


4  A 


r  h*  Gi  4  G'l  r  1-4,  Ga  4  g^ 
r  L4.  Gi  V  Ga  4  G'l  V  G'2 


•4  V 


a  =  FV{Mn)  \  dom(r  U  $)  A;  P  h  Mi  ^  ,  Dj  •  •  •  A;  $;  L  h  M„  M^,  D„ 


#;  r  h  V(5  M„  G)  H->  V(g  M;  Dj  A  . . .  A  D„  A  G) 

A€  {T,±} 

- »->•  X 

$;ri- 

#;rt-Die->D;  $;ri-DaH>D^  $;ri-DiH>D'i  $;ri-DaH4D^ 


r  h  Z)i  A  D2  ^  Di  A  Z)2 


■  H4  A 


V 


Z  new 

-  l^y  ^  iv  -  ly 

A;  $;  (r, xiyl)  h  a:  1-4“  a:,  T  A;  {^,u:A);T  \- u  ^  Z  =  u  (A, a::A);  F  h  a:  j-4  x,  T 

A;$;rhMi  ^  M[,Ei  A;  F  h  M2  h4  E2  A;  (F,  x:A)  F  M  h4  M',  E 

- ; - ; - App  - A 

A;^;FI-  Ml  M2  »-4  M[  M',^!  AE2  A;  F  F  Ax :  A.  M  1-4  Ax:A.M^E 


Figure  6.8:  Clause,  goal,  assumption  and  term  normalization 
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- NotoT  — - NotD-L 

NotD{T)  =  X  NotD(-L)  =  T 

•  h  NotG(G)  =  G" 

- Noto  ^ 

NotD(V(g  M  G))  =  /\  V(-.(g  N)  J)  A  ¥(-19  M  <r-  G') 

7Ve-l-Not(M) 


Note  (I)l)  =1^1  N0tD(I)2)  =  £>2 

- NotA 

NotD(jDi  A  D2)  =  Di  V  D2 

NotD(r)i)  =  D[  NotD(i^2)  =  I>2 

- Notv 

NotD(I>i  V  JD2)  =D[hD2 


Figure  6.9:  Clause  complementation:  NotD(i^)  = 


However,  not  air  parameters  are  born  alike;  in  many  situations,  a  parametric  judgment  is  used  simply 
to  descend  into  a  scoping  construct,  while  the  parameter  itself  does  not  play  a  role  w.r.t.  provability  and 
denial.  Consider,  for  example,  the  following  program  that  checks  whether  a  universal  formula  is  a  £>-clause: 


form,  term 
all 
isd 
isdall 


type, 

{term  form)  form), 
form  o 

\/D:term  form,  isd  {all  D) 
^\fx:  term,  isd  {D  x). 


This  phenomenon  is  known  in  the  literature  under  the  name  of  subordination  and  has  been  extensively 
studies  in  the  dependent  typed  context  [Vir99].  In  the  simply  typed  setting,  this  relation  collapses  to  merely 
checking  whether  the  type  of  the  parameters  is  equal  to  the  target  type  of  some  argument  of  the  predicate. 
More  formally,  we  say  that  x:A  is  relevant  to  Q  if  head{Q)  =  g,  S(g)  =  Ai,...  ,An  o  and  for  some 
1  ^  ^  ^  it  holds  that  target (Aj)  =  A;  we  denote  this  with  xR^q.  In  the  above  example,  as  term  ^  form, 

then  X  :  term  is  not  relevant  to  isd  :  form  o.  Wrt.  clause  complementation,  if  the  parameter  x  is 
not  relevant  to  q,  we  do  not  need  to  build  complementary  facts  out  of  it,  although  they  would  not  impact 
soundness,  i.e.  Exclusivity  (Theorem  6.32). 

We  concentrate  on  rules  Not^T  and  Nota  -*>.  The  notation  [ex/Zi\Zn  is  an  abbreviation  for 
Zi .. .  Zi-i  ex  Zi^i . . .  Zn,  where  the  Z’s  are  fresh  logic  variables;  similarly  for  [ex/Zi,  N/Zj]Zn-  The  main 
loop  goes  as  follows: 

•  Choose  a  parameter  x:o  E  F. 

•  Propagate  ex  in  every  ‘odd’  position. 

•  Locate  a  type  Ai  such  that  x  is  relevant  to  Q  at  z: 

-  Complement  D  w.r.t.  x  and  i. 

-  Repeat  for  every  relevant  position  i. 

•  Repeat  for  every  x. 

Rule  Nota  is  the  most  complicated  one:  fixed  a  parameter  x,  there  are  two  ways  in  which  an  atomic 
assumption  q  Mi .. .  Mi-i  ex  Mi^i . . .  Mn,  needs  to  be  complemented.  First,  any  atom  with  same  head  with 
a  term  Nj  =  ex  for  z  ^  j  is  in  the  complement  of  the  former.  Moreover,  since  they  do  differ  in  one  coordinate. 
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- Notoi-L 

r  h  NotoC-L)  =  T 
S(o)  =  A]  — ^  •  •  •  — ^  Aji  — ^  o 

- NotaT 

rhNota(T,)=  /\  (  /\  rPNot^(T,)) 

a:€rfom(r)  l<i<n,xH‘g 

r  h  NotG(G)  =  G' 

- Nota 

r  h  Nota(V(g  M;  ^  G))  =  (  /\  T  h  Not^(g  M^)  A  (  /\  P  h  Noti(g  M^)))  A  VH  <- G') 

x€cfom(r)  l<i<n,xR^g 


r  h  NotaiDi)  =  D[  r  h  Nota(L>2)  =  £>2 

- NotA 

r  h  NotaCDi  A  £>2)  =  D[  V  Dj 

ri-NotQ(£)i)  =  £)i  r  h  Nota  (1)2)  =  L>2 

- Notv 

r  h  Nota(£*i  V  D2)  —  £^i  A  D2 


r  f-  Mi  :  Ai  rigid,  •  h  sh(x,  Aj)  =  e^,  Mj  ^  ei 

- ^  r  I-  Not^ 

r  h  Not^(g  M„)  =  /\  VZi:Ai.  ...VZ„:A„.-g  [ex/Zi]Z„ 

1  <i<n 


rhNot'(qM„) 


Adi  — 

A  (  A  ...VZn:yln.-ng  Ar/Z,]Zn)) 

l<j<n  A^6(rhNot(Mj)) 


Not^ 


T,y:A  h  sh{x^B)  = 

- e^At  - 6x 

r  h  5ft(x,  a)  =  x  r  h  sh{x,  A  ^  B)  =  XyiA.Cx 


Figure  6.10:  Assumption  complementation:  T  h  NotQ;(Il)  =  D' 
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we  may  as  well  leave  open  every  other  term.  This  is  encoded  in  rule  T  h  Not^.  Of  course,  we  have  to  make 
sure  that  Nj  is  not  flex  and  that  the  type  is  appropriate.  Since  x  is  passed  as  a  parameter,  the  F  h  sh{x,  A) 
judgment  builds  a  shallow  parameter  expression  as  required  by  the  type  of  the  position  in  q  where  it  ought 
to  occur. 

Secondly,  we  have  to  take  into  account  the  case  Mi  =  ex'-  here  we  can  build  a  set  of  complementary 
facts  by  pivoting  on  and  making  another  position  different.  Luckily,  we  can  achieve  this  via  a  call  to 
term  complementation  and  build  a  set  of  complementary  facts  similarly  to  clause  complementation.  The 
difference  is  that  we  pass  to  term  complementation,  as  a  context,  the  set  of  parametric  bound  variables. 
Finally,  both  processes  are  repeated  for  every  M^. 

Notice  the  different  treatment  of  the  trivial  clause  T  by  rules  NotoT  and  NotaT :  if  no  parameter  has 
been  assumed,  then  T  truly  stands  for  the  empty  predicate  definition  and  its  complement  is  the  universal 
definition  J_.  If,  on  the  other  side  F  is  not  empty,  it  means  that  has  been  introduced  during  the  T- 
normalization  preprocessing  phase  and  has  been  localized  to  the  predicate  q.  Here  we  need  to  construct 
a  new  negative  assumption  w.r.t.  g,  x,  i  in  case  Tg  is  the  only  dynamic  definition  of  q.  As  carries  no 
information  at  all  concerning  q^  the  most  general  negative  assumption  is  added.  This  is  accomplished  again 
by  rule  F  h  Not^,  where  we  make  the  convention  to  view  as  a  degenerate  case  of  q  Mn  where  the  sequence 
Mn  is  empty  (and  thus  the  condition  trivially  satisfied). 

The  remaining  (common)  rules  for  static  and  dynamic  clause  complementation  simply  recur  on  the 
program  respecting  the  duality  of  conjunction  and  disjunction  w.r.t.  negation.  This  a  somewhat  delicate 
point  and  therefore  we  discuss  it  in  some  details.  Intuitively,  negative  clauses  stemming  from  the  complement 
of  the  definition  of  a  predicate  need  to  be  considered  simultaneously.  In  fact,  if  an  goal  is  unprovable  from 
its  definition,  then  its  negation  must  be  provable  from  the  complement  of  each  clause  of  its  definition; 
symmetrically  if  it  is  provable,  then  its  negation  must  be  unprovable  from  the  complement  of  at  least 
one.  What  we  have  described  coincides  the  operational  semantics  of  an  operator,  which  works  exactly  as 
disjunction.  This  is  arguably  at  odd  with  the  commonly  held  goal-oriented  interpretation  of  the  sequent 
calculus  as  uniform  proofs,  since  case  analysis  makes  the  latter  incomplete  w.r.t.  minimal  logic  (but  see 
[NL95]  for  ways  to  incorporate  the  former  in  the  framework  of  uniform  proofs).  In  Section  6.9.2  we  will  show 
how  to  ‘compile  away’  all  occurrences  of  V  in  clauses.  This  is  an  higher-order  equivalent  of  the  intersection 
operator  described  in  [BMPT90]  and  will  restore  completeness  of  uniform  proofs 

Goal  complementation,  that  is  the  judgment  NotG(C?)  depicted  in  Figure  6.11  is  straightforward,  since 
it  only  brings  the  body  into  a  normalized  format;  namely,  in  what  we  may  call  parametric  negation  normal 
form^  to  stress  the  distinction  from  classical  negation  normal  form  or  even  from  negation  normal  form  in 
constructive  logics  as  extension  of  intuitionism  with  strong  negation  [Nel49].  This  re-iterates  the  problem 
with  strong  negation  we  have  hinted  in  Section  5.3;  negation  is  pushed  inward  but  jumps  over  parametric- 
hypothetical  judgments  to  respect  the  operational  interpretation  of  unprovability. 

As  a  final  remark,  we  note  again  that  we  must  take  the  complementation  of  a  program,  seen  as  a 
conjunction,  predicate  definition- wise  rather  that  clause-wise.  In  fact,  it  would  be  incorrect  to  simply  negate 
a  program  as  it  would  introduce  disjunctions  rather  than  conjunction  among  predicate  definitions.  The  same 
remark  applies  to  the  ‘dynamic’  program  V,  Formally,  given  a  fixed  signature  and  a  program  V: 

Note (7^)  =  f\  NotD(clef(9,T>)) 

Similarly  for  a  (possibly  run-time)  context  F;P: 

ri-Nota(I>)  =  f\  ri-Nota(def(g,2:))) 

qeT.v 

Note  that  if  F;D  is  a  run-time  context,  it  consists  of  a  conjunction  of  blocks,  i.e.  it  has  the  form 
F'',  [F'];^"  A  I'D']]  in  this  case  the  definition  of  q  consists  of  the  conjunction  of  the  definition  for  every 
block,  namely:  F'  H  def{q,D')AT"  h  def{q,D").  We  abbreviate  NotD(def(g))  in  def(“»g).  If  is  the  source 
program,  we  use  for  NotD(P'^). 

Finally,  we  provide  an  example,  which,  even  though  is  somewhat  a  special  case  of  the  general  procedure, 
assumption  complementation  being  trivial,  it  helps  to  clarify  the  rules  for  clause  and  goal  complementation 
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- NotcT  - NotcJ- 

ri-NotG(T)  =  l  rhNotG(-L)  =  T 

- - Not  =  - :: — : - : - Not  ^ 

r  h  NotG(M  =  N)  =  {M  y^N)  r  f-  NotG(M  jL  N)  =  [M  =  N) 

- NotG  At 

rhNotG(Q)  =  -Q 

r,y:a  h  NotG([y/a:]G)  =  [y/x]G' 

- NotcVJ' 

r  h  NotG(Va::a.G)  =  Vx:a.G' 

r  h  NotG  (Gi )  =  G'l  r  h  Note  (G2 )  = 

- NotA 

rhNotG(Gi  AG2)  =  Gi 

r  h  NotG(Gi)  =  g;  r  h  NotG(G2)  =  g^ 

- Notv 

rhNotG(Gi  vG2)  =  G1  ag^ 

r  h  NotG(G)  =  G' 

- Note 

r  h  NotG(I? G)  -  Z)  ^  G' 

Figure  6.11:  Goal  complementation:  F  1-  NotG(G)  =  G' 

in  isolation.  We  refer  to  the  next  Section  (6.6)  for  more  complex  examples.  We  use  VFi,F2  :  A.X  as  an 
abbreviation  of  VFi :  A.  VF2  :A.X. 

Example  6.25  A  X-expression  is  closed  if  it  has  no  occurrence  of  free  variables;  let  z  :  exp  be  a  constant: 
cloz  :  closed  z. 

clolam  :  VEiexp.  closed  {lam  E)  ^  {^x:exp.  {closed  x  closed  {E  x).) 
cloapp  :  VFi  :exp.  VF2  :exp.  closed  {app  E\  E2)  closed  Ei  A  closed  E2. 

Now,  def{closed)  =  cloz  A  clolam  A  cloapp.  Note  that  x:exp  h  Nota  (dosed  x)  ~  T .  Therefore: 
def{^closed)  =  Note  (doz)  V  NotD(doZam)  V  NotD(doapp) 

where: 

Noto{cloz)  =  -^{closed  N) 

Ne-I-Not(z) 

=  (VF :  exp.  -^closed  {lam  F))  A  VFi ,  F2  :  exp.  -^closed  {app  Fi  F2). 

Notr,{clolam)  =  ^  {-^closed  N)  A 

7V€-hNot(/am  E) 

"iE: exp. -^closed  {lam  E)  NotG  (Vx:  exp.  {closed  x  — ^  closed  {E  x)) 

=  -^closed  z  A  (VFi ,  F2 :  exp.  -^closed  {app  Fi  F2))  A 

WE: exp.  ^closed  {lam  E)  ^  (Vx:exp.  {closed  x  -)*  ^closed  {E  x)). 

NotD(doapp)  =  -nW {closed  N)  A 

7V€  l"Not(app  El  E2)) 
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- a-u^oA 

au^D(Ar)  =  X 

augr^iDi)  =  augr>{D2)  = 

- au^oA 

augj^{Di  A  D2)  ~  Di  A  D2 

augj,{Di)  =  augry{D2)  = 

— ^ - awpoV 

aug^{Dx  V  D2)  =  D^y  D2 

T-Vhaug^{[p]G)  =  [p]G^ 

- ^ - dugi;}  ^ ^ 

aug^{y{Q  ^  G))  =V(Q^G^) 


Figure  6.12:  Clause  augmentation:  augi^{D)  = 


yEi,E2  :exp.  -^closed  {app  Ei  E2)  ^  Note (c/osed  Ei  A  closed  E2) 

=  -^closed  z  A  {yFiexp.  ->closed{lam  F))  A 

VEi,  E2  :exp.  -^closed  {app  Ei  E2)  -f-  -^closed  Ei  V  -^closed  E2. 

If  you  want  to  see  the  definition  simplified,  please  skip  to  Example  6.39  and  the  final  result  in  Example 
6.43. 

6.6  Augmentation 

Now  that  we  have  discussed  how  to  perform  clause,  assumption  and  goal  complementation,  we  synchronize 
it  together  in  a  phase  we  call  augmentation,  which  simply  inserts,  at  compile-time,  the  correct  assumption 
complementation  in  a  goal  and  in  turn  in  a  clause.  We  give  one  judgment  to  augment  a  program,  augr,{D), 
depicted  in  6.12.  which  merely  recurs  on  the  structure  of  clauses  until  it  calls  goal  augmentation,  r;I>  h 
augG{G)  (Figure  6.13).  The  latter  traverses  a  goal  collecting  parameters  in  F  and  assumptions  in  V,  When 
it  reaches  an  atom,  either  it  stops,  as  no  parameter  has  been  introduced,  or  it  passes  T^V  to  assumption 
complementation. 

Some  examples  will  make  the  whole  process  clear;  consider  the  copy  program  on  A-terms: 

epapp  :  VEi,E2,Fi,F2  :exp. 

copy  {app  El  E2)  {app  Fi  F2) 

^  copy  El  Fi 
^  copy  E2  F2. 

cplam  :  :  exp  — >  exp.  yF :  exp  exp. 

copy  {lam  E)  {lam  F) 

-e-  (Va: :  exp,  copy  x  x 

copy  {E  x)  {F  x)). 

The  augmentation  judgment  aw^D(cp/am)  calls  •  h  augG{yx  :  exp.  copy  x  x  ->■  copy  {E  x)  {F  x)),  which 
collects  the  context  x:exp\copy  x  x  and  calls  x:exp  h  Nota (copy  x  x).  We  start  by  observing  that  F  h 
Not^ (copy  X  x)  =  T,  since  the  conditions  on  rule  F  h  Not^  are  not  satisfied.  Then,  note  that  x:exp  F 
Not(x)  =  {lam  F' ,app  Fi  ^2}-  This  yields: 

x:exp  F  Notf  (copy  x  x)  =  (VF',  Fi,  F2  :exp.  ^copy  x  {lam  F')  A  -^copy  x  (app  Fi  F2)) 

Symmetrically: 

x:exp  F  Not^ (copy  x  x)  =  (VF",  F3,  F4 : exp.  -icopy  {lam  F”)  x  A  -^copy  {app  F3  F4)  x) 
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X  e  {T,  ±}  or  (dis)eq 

- augcX 

T;V\~  augciX)  =  X 

- auoc  At  ^ 

•;T  h  augcXQ)  =  Q 

r\-Nota{V) 

- augcAt 

T'jT)  CLugGiQ)  —  7^-1  Q 

T;{VAD)\-augo{G)  =  G^ 

- auga 

r;P  h  augo{D  G)  =  D  ^  G^ 

{T,y:a);V  h  augG{[y/x]G)  =  [y/x]G^ 

- aug^^i^ 

T; P  h  augo {^x :a.G)  =  \/x:a.G^ 

r;P  f-  augoiGi)  =  G?  r;D  h  augo{G2)  =  G^ 

- augciA 

T;  P  h  augoiGi  A  G2)  =  GJ  A 

r;P  h  augoiGi)  =  GJ  r;P  h  aupc(G2)  =  G^ 

- augo^ 

T;  P  h  (Gi  V  G2 )  =  G?  V  G^ 


Figure  6.13:  Goal  augmentation:  r;P  h  augoiG)  —  G“ 

This  will  yield  the  augmented  clause: 

au^D  icplam)  :  VE :  exp  ->  exp.  VF :  exp  — >  exp. 

copy  (/am  E)  (Zam  F) 

(Vx:exp. 

(VF',F",Fi,F2,F3,F4:exp. 

-icopy  X  (Zam  F')  A  -^copy  x  (app  Fi  F2)  A 
^copy  (Zam  F")  x  A  -^copy  (app  F3  F4)  x) 

— >■  copy  X  X  — )>  copy  (F  x)  (F  x)). 

while  of  course,  aayD(cpapp)  =  cpapp^  as  enforced  by  aupcAtT.  If  we  had  a  two-parameter  version  of  copy: 

cplam!  :  VF :  exp  ^  exp.  VF :  exp  *->  exp. 
copy'  (Zam  F)  (Zam  F) 

^  (Vx :  exp.  Vy :  exp.  icopy'  x  y) 
copy'  (F  x)  (F  y)). 

Then  we  would  get  first: 

r  h  Not^  (copy'  X  y)  =  (VF"  :exp.  -^copy'  E"  x) 

Noty  icopy'  X  y)  =  (iF"  :exp.  -^copy'  y  F"). 

Secondly,  by  computing,  respectively,  for  F  =  x:exp, y:exp,  T  f-  Not(y)  and  T  h  Not(x): 

r  h  Noti(copy'  X  y)  =  (VFq, Fi,F2 : exp. -i copy'  x  (Zam  Fq)  A  -^copy'  x  (app  Fi  F2)  A  -^copy'x  x) 
r  h  Not^(copy'  X  y)  =  (VFq, F^', F2  :exp.  --copy'  (Zorn  Fq)  y  A  -«copy'  (app  F/  F2)  y  A  -^copy'  y  y) 
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yielding  the  augmented  clause: 

augi^{cpla7n')  :  'iEiexp  ^  exp,\/F:exp  ^  exp. 

copy^  {lam  E)  {lam  F) 

(Vx :  exp.  \/y :  exp. 

(VE' :  exp.  ^copy^  E'  x)  A 
{\/F'  :exp.  -rcopy'  y  F‘)  A 

V(-icoj9y'  x  {lam  Fq)  A  -^copy’  x  {app  Fi  F2)  A  ->copy'x  x  A 
-^copy'  {lam  F^)  y  A  -^copy'  {app  F^  F2)  y  A  ^copy'  y  y) 

•->  copy^  x  y  copy'  {E  x)  {F  y)). 

Note  that  by  static  analysis  of  copy \  we  know  that  x  will  never  end  up  in  the  second  argument  of  copy'  and 
symmetrically  this  applies  to  y,  too.  Thus  the  call  to  F  h  Not^,Not^  are,  in  this  case,  useless;  however  since 
this  kind  of  data  flow  analysis  is  in  general  undecidable,  the  augmentation  procedure  inserts  the  negation  of 
a  clause  for  every  ‘odd’  position  relevant  to  the  pivot  parameter.  Now,  consider  the  typing  clause  for  lambda 
terms: 

of  lam  :  'iE :  exp  exp.  VTi ,  T2 :  tp. 

of  {lam  E)  {arrow  Ti  T2) 

^  {Vxiexp.of  x  Ti  of  {E  x)  T2). 

As  Ti  is  an  input  term,  normalization  of  input  variables  inserts  the  appropriate  equation,  where  of  lam 
of  lam' : 

of  lam'  :  \/E :  exp  exp.  VTi ,  T2  :  tp. 

of  {lam  E)  {arrow  Ti  T2) 

{\IT:tp.of  xT  <r~T  ^Ti) 
of  {E  x)  T2). 

Both  r  h  Not^  and  Not^  generate  no  contribution;  in  particular  x:exp  h  Not^(VT:^p.  of  x  T)  calls  the  Not^ 
rule,  but  term  complementation  (applied  to  the  existential  variable  T)  yields  the  trivial  clause.  Therefore, 
by  NotoCT  =  Ti),  augmentation  will  result  into: 

au^D  {of  lam)  :  VE :  exp  exp.  VTi ,  T2 :  tp. 

of  {lam  E)  (arroit;  Ti  T2) 

<r-  (Vx :  exp.  of  X  Ti 

{\/T:tp.  -^of  xT  ^Ti)  ^ 
of  {E  x)  T2). 

Consider  now  a  predicate  which  counts  the  number  of  bound  variables  in  a  lamb  da- term: 

cntlam  :  VE :  exp  exp.  WN :  nat. 
cat  {lam  E)  N 

{\fx:exp.cnt  x  s{0) 
cut  {E  x)  N). 

The  call  to  x:exp  h  Nota(cnt  x  ${0))  leads  to  Not^(cnt  x  s(0)),  since,  again,  F  h  Not^  does  not  contribute: 
Not^  collects  the  term  complement  of  s(0)  in  the  context,  x  :  exp,  but  the  typing  discipline  constrains  the 
result  to  be  {0,s(s(M))},  as  expected: 

au^D  {cntlam)  :  V£ :  exp  exp.  ViV :  nat. 

cut  {lam  E)  N 

{\fx:exp.  (“icnt  x  0  A\/M inat.^cnt  x  s{s{M))) 

->  cut  {E  x)  N). 
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Let  us  see  how  rule  NotaT  enters  the  picture:  recall  the  T-normalized  linx  lambda  clause: 

linxlam  :  \JE\exp  — ^  exp  — >  exp. 

linx  (Ax .  lam{Xy  .  E  x  y)) 

<r-  (V2:  :exp.  T linj.  linx  (Ax  .  E  x  z)). 

The  judgment  z'.exp^Tunx  h  augcilinx  E  x  z)  triggers  the  rule  NotaT ;  in  turn  •  H  sh{z^  exp  exp)  =  Xy  .z 
and  thus  z:exp  h  Noti(T/j„a.)  =  -^linx  (Ax.z): 

augi^{linxlam)  :  ^Eiexp  ->  exp  -)■  exp. 

linx  (Ax  .  lam{Xy  .  E  x  y)) 

(Vr :  exp.  -i/mx  (Ax  .  z)  linx  (Ax  .  £*  x  z)). 

Example  6.26  Let  us  apply  the  complement  algorithm  to  the  linx  predicate  definition;  note  the  vacuous 
application  E2  x^: 

linxx  :  /mx(Ax.x). 

linxapl  :  linx{Xx.app  {Ei  x)  {E-y  x®))  ^  /mx(Ax .  x). 

Iinxap2  :  linx{Xx.app  (£1  x^)  (£2  ^))  /mx(Ax.£2  x). 

augp{linxlm)  :  linx{Xx  .  lam{Xy  .  E  x  y))  ^  (Vy:exp.  linxfXx  .  E  x  y)). 

N  oil)  {def  (linx))  = 

Notx:,{linxx)  V  Noto (linxapl)  V  NotD(/^nxap2)  V  NotD(/^nx/m)  = 

(-i/mx(Ax .  app  (£1  x)  (£2  x))  A  ”'/mx(Ax .  lam{Xy  .  (£  x  y))))  V 

(-i/mx(Ax .  x)  A  "'/znx(Ax  .  lam{Xy  .  (£  x  p)))  A  ->linx{Xx .  app  (£1  x)  (£2  x^)) 

A  -i/mx(Ax  .  app  (£1  x)  (£2  x^))  ^  -^linx{Xx  .  E\  x))  V 

(-i/2nx(Ax  .  x)  A -'/mx(Ax  . /am(Ap  .  (£  X  p)))  A -«/mx(Ax  .  app  (£1  x^)  (£2  x)) 

^  -ylinx{Xx .  app  (£1  x^)  (£2  x))  ->Zmx(Ax.£2  x))  V 

(-«/mx(Ax  .  x)  A  -'/mx(Ax  .  app  (£1  x)  (£2  x)) 

A -»/mx(Ax  . /am(Ap  .  (£  x  p)))  4-  (Vp:exp. -^/mx(Ax ,  p)  — >  -*linx{Xx  .  E  x  p))). 

We  prove  that  augmented  clauses  and  goals  satisfy  the  augmented  schema,  where  we  define  r'.auQni'D)  as 
T;  P  A for  r  h  Nota(£^)  = and 

- augo 

aug{o)  =  o 

aug{S)  =  iS“  augr,{V)  = 
- aug\\ 

oup(5||(r;SOME  $.£>))=:  5“ ||(r;  SOME  ^.V^) 

Now,  the  usual  lemma  on  schema  membership: 

Lemma  6.27  //Eh  E';!)'  E  5  then  E  h  E';  aup£)(E>')  E  aup(5). 

Proof;  By  induction  on  the  structure  of  tt  ::  E;  P  E  5. 

E  h  (9  :  ^  (E';  P')  =a  (E"; OV) 

- €1 


E  h  (r;P')  E  cS|l(E";SOME  ^.P) 
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r;p'  r”;[e]v 
r;aupo(P')  =a  T”;[e]augM 
r';aupD(P')  G  au^(5)||r";S0ME  ^.augj:,{V) 
r;aug^iV')  G  auy(5||r ;  SOME  $.P) 

Case:  tt  ends  in  G2:  by  IH. 


By  sub-derivation 
By  definition 
By  rule  Gi 
By  rule  aug\\ 


□ 


We  use  |=5a  augr>{D)  for  h  aug^iD)  -  and  \=s<^  analogously  for  augclG)^ 

Lemma  6.28  (Schema  Augmentation)  Let  T\V  <  S  and  aug{S)  =  Then: 

1.  ihen  |=5a aup£,(D). 

2.  IfT]V\G<S,  thenT;V\augc{G)  <S^. 

3.  IfT\V<S  then  T'^augoiV)  < 

Proof:  By  mutual  induction  on  the  structure  of  tt  ::  |=5  Z),  7  ::  F;  P  \  G  <  5  and  £7  ::  r;P  <  5.  We  show 
the  crucial  cases: 


Case: 


X€{Q,T,±} 

TT  = - 1=5  X 

\=sX 


Immediately  T;T>\-  augoiX)  =  X  and 


hs-X 


Case: 


TT  = 


•;T\[p]G<<S 

- Ns— >■ 

N5V(G  ^  Q) 


•;T\[p]G<5 
•;  T  \  ouPg([p]G)  <  <5“ 
^5a  atipG([p]G)  [p]Q 
1=5.  augo^{G  — >•  Q)) 


Case: 


X  €  {T,±}  or  (dis)eq 

r;D\X  <5 


r;I)  <5 

- \x 


T-,V<S 
T^augoiJ^)  < 
r;DI-aupG{^)  =  ^ 
V-aug^{V)\X  <S<^ 


Case: 


By  sub-derivation  F;  P  <  «S; 
Subcase:  •;  T  I-  augoiQ)  =  Q: 


T-,V<S 

7  = - \At 

r-,v\Q<s 

there  are  two  ways  to  augment  an  atom; 


By  sub-derivation 
By  IH  2 
By  rule  1=5“^ 
By  rule  aug^  -> 


By  sub-derivation 
By  IH3 
By  rule  aug^X 
By  rule  \X 
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•;  T  <  5“ 

•;  T  \  (5  <  5“ 

•;  T  \  augo{Q)  <  <S“ 

Subcase:  T\V\-  aug{Q)  =  NotQ(2?)  Q-. 

T-,augc{T))  <  5“ 

V\augr>{'D)  \  Q  <5°^ 

T-,V  ^'i^oia{V)\Q  <  S°- 
T-V\  Nota(P) ->  Q  <  5“ 
T\V\augo{Q)  < 


Case: 

_\=sD  r-,VAD\G<S 
^  T-,V\D  -^G  <S 

\=sD 

t=5»  o-ugoiD) 

T-,VAD\G  <S 
r-,V  AD\  augc(G)  <  S° 
r;V\  D  augo{G)  <  5“ 

T;  \  augciD  —i-G)<S'^ 

Case: 

a  = - <1 

•;T  <5 

Then  immediately: 


•;T<5“ 

Case: 

__ri-(r';D')e5  ^=52?'  ir;V)<s^ 


T;V<S 
T;augj:,{'D)  < 

r\-r;V'  gs 

r;augr>{V')eS^ 

\=s'D' 

(r,  \r]);aug^{V)  A  aug::,{\V')])  <  5“ 
(r,  \r]);aug^{VA\V'])<S<^ 


By  rule  <i 
By  rule  augc AtT 
By  rule  \At 


By  IH3 
By  rule  \At 
By  def.  of  augoiV) 
By  rule  augoAt 
By  rule  \  -> 


By  sub-derivation 
By  IH  1 
By  sub-derivation 
By  IH2 
By  rule  \  -)> 
By  rule  augc 


By  sub-derivation 
By  IH3 
By  sub-derivation 
By  Lemma  6.27 
By  sub-derivation 
By  IH  1 
By  rule  <2 
By  rule  augoA 

□ 


The  following  Lemma  ensures  that  augmented  clauses  are  closed  under  negation.  In  particular,  for 
r;P  <  if  Z)  E  P,  sois  r  h  Nota(P).  We  use  L; P\NotG(G)  <  for  NotoCG)  =  and  r;P\G^  < 
Similarly  for  NotD(P).  We  will  need  the  following  technical  remark: 

Remark  6.29  If  M  is  a  simple  term,  then  N«S“  A/?eNot(A?)  ^  "^)- 

Proof:  By  rules  1=^^  A,  1=5  V,  \T,  [=5  At,  \At.  □ 

Lemma  6.30  (Negative  Schema  Augmentation)  Let  T]V  <  S°'.  Then: 

If\=s<^(iy'9D{D)y  then  \=sa^otD{ciugD{D)), 
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2.  Ifr]V\augG{G)  <  ^/len  r;X>  \  NotG{au5c;(G))  <5^. 

Proof:  By  mutual  induction  on  the  structure  of  tt  ::  augr^{D)  and  7  ::  r;D  \  augG{G)  <  S^. 


Case: 


TT  = 


^s-augj^{l) 
By  rule  augj^{±)  =  _L  and  h  NotD(-L)  =  T :  thus 


-L 


TT  =  * 


Case: 


1=50  ciugi^{l^) 

By  rule  au^D(T)  =  T  and  h  NotolT)  =  ±:  thus 

•  1=5“ -L 


N“T 


TT  =  ■ 


-L 


Case:  tt  ends  in  \=s<^  o>ugo{W{q  M  ^  G)): 

|=5a  {W{q  M)  <r-  augciG)) 

■]T  \augG{[p]G)  <  5“ 

•;T  \NotG(awi/G([p]G))  < 

\=s-[p]hQ  M) 

t=5“  M  <r-  'NotGiaugoiG))) 

[=5“  AiV€Not(M)  ^)) 

1=5“  AiV€Not(M)  ^  T)  A  V(-.g'  M  ^  NotG(au^G(G))) 

1=5^  NotD(V(g  M)  -H*  au^G(G)) 
j=5a  NotD(attpD(V(Q^  M  ^  G))) 

Case:  tt  ends  in  \=s<^  Cbug^iDi  AD2): 

1=5“  CLug^iDi)  A  awpD(i^2) 

|=5a  au^D(Di)  and  t=5“ 

[=5aNotD(oupD(I^i))  and  ^5“  NotD(aw5D(^2)) 

\=s<^  ^ot-o{augn{Di))  V  NotD(au^D(D2)) 

|=5«  NotD(au^D(i>i)  A  au5D(^2)) 

^5“  NotD(awfi'D(^i  A  D2)) 

Case:  tt  ends  in  |=5anupD(-^i  ^  ^2): 

1=5“  V  <l'Upp(Z}2) 

|=5“a^ipD(I^i)  and  1=5“  a^tpo(^2) 

1=5^  NotD(auyD(i^i))  and  t=5a  NotD(aityD(^2)) 
t=5a  NotD(aw^D(^i))  A  NotD(aizi/D(I^2)) 
t=5a  NotD(au^D(^i)  V  augT>{D2)) 
t=5a  NotD(aw^D(^i  V  D2)) 

Case:  7  ends  in  F;  P  \  augG{T)  <  <S“: 

r;I>\T  <5^ 
r;P<5^ 

r;F>!-NotG(T)  =  ± 

T;V\±<S^ 


By  rule  aug^ 

By  inversion  on  rule  \=s-^ 
By  IH2 
By  rule  |=5a  At 
By  rule  \=s^^ 
By  Remark  6.29 
By  rule  \=s°^  A 
By  rule  Note 
By  rule  aug^^ 


By  rule  augj^A 
By  rule  \=s  A 
By  IH  1 
By  rule  [=5  V 
By  rule  NotoA 
By  rule  aug^A 


By  rule  aug^y 
By  rule  ^5  V 
By  IH  1 
By  rule  \=s  A 
By  rule  NotoV 
By  rule  gu^dV 


By  rule  aug^T 
By  sub-derivation 
By  rule  NotoT 
By  rule  \± 
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Case:  7  ends  in  F;!?  \auga{±)  <  <S“; 


r-,v\±<s‘‘ 

By  rule  aitpc-L 

F;X)<5“ 

By  sub-derivation 

F;X>l-NotG{±)  =  T 

By  rule  NotcJ- 

F;  P  \  T  <  5“ 

By  rule  \± 

Case:  7  ends  in  F;  P  \  augdM  =  N)  < 

F;  P  \  M  =  iV  <  5“ 

By  rule  augc  = 

F;P<5“ 

By  sub-derivation 

F;  P  h  NotG(M  =  N)  =  {M  ^N) 

By  rule  Note  = 

T-,V\M  <S<^ 

By  rule  \  ^ 

Case:  7  ends  in  F;  I>  \  augG{M  ^  N)  <  S^: 

T-,V\M  ^  N  <5“ 

By  rule  augc  ^ 

F;P<5“ 

By  sub-derivation 

F;P  H  NotG(M  ^  iV)  =  (M  =  IV) 

By  rule  Note  ^ 

F;P\M  =  IV<5“ 

By  rule  \  ^ 

Case:  7  ends  in  F;  X>  \  augoiQ)  < 

By  sub-derivation  F;P  <  5";  there  are  two  ways  to  augment  an  atom: 

Subcase:  ^  (^ugciQ)  =  Q’ 

•;  T  \  <5  <  5“ 

By  rule  \At 

•;T\-.Q  <  5“ 

By  rule  Note  At 

•;T\NotG(<5)  <*?“ 

By  rule  Note 

•;T  \  NotG(aw5G(<3))  < 

By  rule  ou^cAtT 

Subcase:  T\V\-  alg{Q)  —  Nota{T>)  G: 

F;P\NotQ(P)  ^  0 

By  rule  au^cAt 

F;  (PANota(P))\<3<5“ 

By  rule  \  — > 

F;(PANota(P))  <  5“ 

By  sub-derivation 

F;  (PANota(P))\-(5<<S“ 

By  rule  \At 

F;P\NotQ{P) 

By  rule  \ 

F;P  \  NotQ(P)  ^  NotG{<3)  <  5“ 

By  rule  Note  At 

F;P  \  NotG(NotQ(P)  g)  <  5“ 

By  rule  Note 

F;P  \  NotG(augG(g))  <  <5“ 

By  rule  augcAt 

Case:  7  ends  in  F;X>  \ 

F;  P  \  augoiD)  ->  augoiG)  <  S° 

By  rule  aug^  -> 

^50  augdD)  and  F;  (P  A  P)  \  auga{G)  <  5“ 

By  rule  \ 

F;  (P  A  augoiD))  \  NotG(augG(G))  <  5“ 

By  IH2 

F;P\au5D(P)  NotG(augG(G))  <>5“ 

By  rule  \ 

F;P  \  NotG(a«5D(P)  o^ugciG))  <  5“ 

By  rule  Note 

F;P  \  NotG(auffG(P  -)•  G))  <  5“ 

By  rule  aug^  — > 

Case:  7  ends  in  F;  2?  \  augc {Vx  :a.G)  <  <S“ : 
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F;  P  \  Vx :  a.  augc  (G)  <  <S“ 

By  rule  augo^ 

{T,y:A)\V\[ylx]augG{G)  <  3^ 

By  rule  \V 

(F,y:A);P\  [y/x]NotG(au^^G(G))  <  3^ 

By  IH2 

F;P\  Vx:a.  NotG(u^ipG(G^))  <3°^ 

By  rule  \V 

F ;  P  \  NotG  ( Vx :  a.  augc  (G) )  <  3^ 

By  rule  NoIgV 

F;P  \  NotG(flW5G(Vx:a.G))  <  5“ 

By  rule  augG^ 

Case:  7  ends  in  F;  P  \  augoiGi  V  G2)  < 

r;P  \  augG{Gi)  V  augG{G2)  <  3°- 

r;P  \  augoiGi)  <  and  FjP  \  augcXG2)  <  3°- 

r;P  \  NotG(aw^G(Gi))  <  5“  and  r;P\  NotG(a^i5fG(G2))  <  3°' 

r;P\NotG(aix^G(Gi))  A  NoIg  (01/5^0(02)  <  3^ 

T]V\l^otG{augG{Gi)y  augG[G2))  < 

F;  P  \  NotG(fl^^G(Gi  V  G2))  <  3^ 

Case:  7  ends  in  T\V\augG{G\  AG2)  <3^: 


F;  P  \  augciGi)  A  augG{G2)  <  3^  By  rule  atx^cA 

F;  P  \  augGiGi)  <  3^  and  F;  P  \  aiigciGo)  <  3^  By  rule  \A 

F;P  \  NotG(au5G(Gi))  <  ^5“  and  F;P  \  NotG(au5G(C2))  <  5“  By  IH  2 

F;P  \  NotG(aupG(Gi))  V  NotG(a?ipG(G2)  <<5^  By  rule  \V 

F;P  \  NotG(au^G(Gi)  A  au^G(G2))  <  3^  By  rule  NoIgA 

F;P  \  NotG(au^G(Gi  A  G2))  <  By  rule  augcA 


□ 

We  can  combine  the  two  latter  lemmata  6.28  and  6.30  to  prove  that  augmentation  guarantees  that  static 
and  dynamic  clauses  are  closed  under  complementation. 

Corollary  6.31  (Closure  under  Complementation)  If\=sD,  then  (=50  NotD(au^z)(P))‘ 

6.7  Exclusivity 

We  are  now  in  the  position  to  prove  the  main  result  of  this  Chapter,  namely  that  clause  complementation 
satisfies  the  boolean  rules  of  negation,  in  the  form  of  exclusivity  and  exhaust ivity.  We  remark  that  this  holds 
due  to  the  fact  that  context  schemata  allow  to  pose  only  ‘well-behaved’  goals.  For  example,  consider  the 
query  G  =  ->even{0)  et;en(s(s(0))),  which  is  such  that  both  -jT  \-‘even  G  and  *;T  \--,even  NotG(G)  are 

provable.  By  definition  of  schema  satisfaction,  this  is  not  a  legal  query.  Similarly,  the  following  counter¬ 
example  to  exhaustivity  T  \-even  Vx  :  nat.  even{x)  is  not  allowed.  Moreover,  the  Context  Preservation 
Theorems  (Theorem  6.13  and  6.14)  guarantees  that,  from  allowed  run-time  contexts  and  goals,  only  allowed 
subgoals  are  generated. 

We  use  F;P  h-p  NotG(G)  for  F  h  NotG(G)  =  G’  and  F;P  I-7?  G';  also,  F;P  bp  NotD(P)»-'<3  foi* 
NotD(P)  =  P'  and  F;P  hp  similarly  for  Nota.  We  use  V  to  denote  the  conjunction  of  a  positive 

program  V~^  and  its  negation  V~  =  NotD(P’^). 

Theorem  6.32  (Exclusivity)  Let  [=5a  dugoiV)  and  F;P  <  5^^.  For  every  goals  such  that  F;P \  G  <  3°', 
It  is  not  the  case  that  there  is  ::  F;  P  bp  G  and  there  is  3~  ::  F;P  bp  NotG(G). 

Proof:  We  generalize  this  to: 

Let  D  C  def(g,P):  It  is  not  the  case  that  I"*"  ::  F;P  bp  P>$>Q  and  X~  ::  F;P  bp  NotD(P)^NotG(Q)- 
By  mutual  induction  on  the  structure  of  and  3^,  by  assuming  their  existence: 


By  rule  augo^ 
By  rule  \ V 
By  IH2 
By  rule  \A 
By  rule  NotGV 
By  rule  augoM 


2.1 
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Case: 

1+  = - »i 

F;  P  hp  ±g»(5 

But  there  can  be  no  proof  of  from  NotD(J-g)  =  T^. 

Case:  _  _ 

F;  V  }-v  [(j]Nn  =  Mn  F;  V  \~v  [(t]G 

1+  = - - 3:2^ - » 

T;Vhv  Wiq  Nn  ^  G)»q  Mn 
and  X~  ends  in  F;I>  \~v  NotD(V(g  Nn  <-  G))»-ig 


T]V  \-p  [cr]Nn  =  Mn  By  sub-derivation 

•  h  Mn  G  ||A^n||  (*)  By  definition  of  of  ||_|| 

F;  P  I-7?  [a]G  By  sub-derivation 

F;P  f-7?  As;:G.i-Not(]^) ^  T)  A  V(^g  Nn  ^  NotG(G))»-ng  Mn  By  rule  Noto 


Subcase:  F;P  h-p  A^etNot(A^)  <-  X)»~^q  Mn 

F;P  hp  V(“<g  Sn  T)»-ig  Mn  for  some  Sn 
F;P  hp  [0]{-^q  Sn)  T >>-1^  Mn  for  some  6 

T;Vj^  [e]s;: 

.  h  €  ||Not(Vn)|| 

± 

Subcase:  F;P  hp  V(~i^  Nn  ^  NotQ{G))^-'q  Mn 
F;Php  Note  (MG) 

± 


By  inversion 
By  inversion 
By  inversion 
By  inversion 
By  definition  of  ||-|| 
By  term  exclusivity  with  (*) 
By  inversion 
By  inversion 
By  IH  1  w.r.t,  5+ 


Case: 


J+  = 


TjD  \~j?  Di^Q  F;PhpP2^0 

F;P  hp  (Pi  V  P2)»Q 


»V 


and  X  ends  in  F;P  hp  NotD(Pi  V  P2)»~'(5- 


F;P  hp  Pi»(3 
F;  P  hp 

F; P  hp  NotD(Pi)  A  NotD(P2)^'^Q 

Subcase:  F;P  hp  NotD(Pi)^“'Q 

± 

Subcase:  F;Php  NotD(P2)»~’Q 
J. 


,  F;PhpPi»Q 

X^  = - »A 

F;P  hp  (Pj  A  P2)»Q 

and  X~  ends  in  F;P  hp  NotD(Pi  A  P2)»“‘Q: 

F;Php  Pi»(5 

F;  P  hp  NotD(Pi)  V  NotD(p2)^~'Q 
F;P  hp  NotD(Pi) 

JL 


Case: 


F;PhpP2»Q 

2+  = - »A 

F ;  P  hp  (Pi  A  P2)»Q 


and  X  ends  in  F;  P  hp  NotD(Pi  A  P2)»-><3: 


By  sub-derivation 
By  sub-derivation 
By  rule  NotoV 

By  inversion 
By  IH  2.1 
By  inversion 
By  IH  2.1 


By  sub-derivation 
By  rule  NotoA 
By  inversion 
By  IH  2.1 
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T]V'rj,  D2'»Q 

T\V  \-'p  NotD(L)i)  V  NotD(D2)^“’Q 
T\T)  \~'p  NotD(Zl2)^“^Q 
± 


By  inversion 
By  rule  NotnA 
By  inversion 
By  IH  2.1 


2.2  I  Let  D  □  def(g,P)  and  D'  C  def{q,'D),  It  is  not  the  case  that  ::  T;!)  D^Q  and  X~  ::  T^V 
Nota(i^0^“’Q-  simultaneous  induction  on  the  structure  of  1'^  and  X*~: 


No  case  for  ends  in  >>>T 


Case: 


2+  =• 


»At 


T^Vh-'p  ±g»Q 

By  schema  satisfaction  there  can  be  no  formula  in  the  dynamic  definition  of  q. 


Case: 


2+  = 


r;P  [(T]5n  =  Mn 


r;Dhp  [a]G 


»  -> 


r;P  hp  \/{q  Sji  ^  Mn 

and  2”  ends  in  r;2>  \-p  Nota(V(g  Tn  ^  Mn. 

r;V  \-p  [a]Sn  —  Mn  By  sub- derivation 

T-jV  \-p  [a]5i  =  Mi  for  every  1  <  ^  <  n  (*)  By  sub-derivation 

X;V  \-p  (Ax€dom(r)  ^  ^  Not^,  (g  Tn)  A  {/\  l<i<n,xR*q  No4(g  Tn)))  A  V(-g  Tn)  ^  NotG(G)»-g  Mn 

By  rule  Nota 

Subcase:  F;  I>  h-p  F  h  Not^ (g  Tn)»-'g  Mn  By  inversion 

F;T^h7:>  Ai<j<n'^^i ‘"^1-  - . .  VZn :  An- “•g  [ex/^j]-^n»“'g  Mn  By  inversion 

F;  I>  1-77  =  Mj  By  inversion 

±  Ftom  line  (*)  and  Sj  rigid 

Subcase:  T;T>\-p  /\i<i<n,xR^q  Tn)»-'g  Mn  for  a  fixed  x  By  inversion 

F;2>  hp  Not^(g  'Tn)!»-'g  Mn  By  inversion 

F;X>l-p  Ai<j<n  Aiver!-Not(T;)(^^i .  VZn :  An.  ~'g  [ex/Zi^N/Zj]Zn)^^q  Mn 

By  rule  Not^  — )> 

F;  2>  hp  Cx  =  Mi  By  inversion 

2  From  line  (*)  and  Si  rigid 

Subcase:  T\V  hp  V(-'g  Tn  ^  NotG(i?))»"'g  Mn  By  inversion 

F;2>  hp  [8\Tn  =  Mn  By  inversion 

F;  2>  hp  Cx  =  Mj  for  some  I  <  j  <n  By  complementable  clause 

2  From  line  {*)  and  Sj  rigid 

Case:  2+  ends  in  ^5  2"  ends  in  :^2:  there  can  be  no  proof  of  ->Q  from  F  h  NotQ;(2g)  =  T^. 

Case:  X~^  ends  in  »  ->,  2”  ends  in  »T: 

Subcase:  T  =  •  or  for  all  x  €  dom(F),  for  all  1  <  z  <  n  it  is  not  the  case  that  xR^q:  then 

F  h  NotQ;(Tg)  =  and  an  be  no  proof  of  from  Tg. 

Subcase:  else  T  h  Nota(T,)  =  Axedom(r)(Ai<i<n,xfli?  ^  Not^(T,));  fix  x,i: 

F;  D  l-p  r  h-  Not^ (T q)':i>-'q  Mn  By  inversion 

r;l>  l-p  Ai<i<„  VZi :  Ai .  ...  VZn :  An .  -•g  [cx / Zj]Zn » -’g  Mn  By  inversion 

F;  D  hp  ex  =  Mj  By  inversion 

2  Above  line  and  rigidity  restriction  on  5j  (*). 


Case: 


2+  = 


F; P  hp  Di^Q 


F;  D  hp  D2'^Q 


F;P  hp  (Pi  V  P2)^Q 
and  2""  ends  in  F;  P  h  Nota(P0»''Q- 


»V 
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r;Php  Di»Q 
1 


Case: 

T;V  \-^  Di  »Q 

1+  = - »Ai 

r;Php  {Di  AD2)»Q 

and  X~  ends  in  r;P  h  NotQ  (Z)')»”'(5: 

F;  P  h-p  Di»<5 
1 


By  sub-derivation 
By  IH  2.2 


By  sub-derivation 
By  IH  2.2 


Case: 


^  r;X>hpD2»Q 

=  -  »A2 

r;Php  {DiAD2)»Q 

and  X~  ends  in  r;P  H  Nota(L^')»“’0-  Symmetric  to  the  above. 


r;D  hp  Nota(I>l)»-<3 

I"  = - »Ai 

F;  P  hp  Nota(F>i  V  Z)2)»‘^Q 

and  X~  ends  in  F;P  h  D::^Q.  By  IH  2.2 

Case: 

F;Php  Nota(F>2)»"’0 

X~  = - »A2 

F;  V  hp  NotaCD;  V  D^2)'^~^Q 

and  X~  ends  in  F;P  H  Z)»Q.  By  IH  2.2. 


Case: 


F;Pl-p  Nota{D[)^->Q  F;Php  Nota(i)2)^^“'C 
F ;  V  Hp  Nota(Dj  A  D2)^^Q 


»V 


and  X-  ends  in  F;I>  H  D»Q,  By  IH  2.2. 


2.3 


Let  D  □  def(^,P)  and  D'  □  def(g,P).  It  is  not  the  case  that  X'^  ::  F;P  hp  L)»Q  and  X~ 
F;P  hp  NotD(F^')»“‘Q*  simultaneous  induction  on  the  structure  of  X'^  and  J“.  Note  that  by  the 
restriction  to  complementable  programs,  some  SPE  occurs  in  Z>;  we  thus  use  the  notation  Nl^. 


No  case  for  for  ends  in  »T. 


No  case  for  for  Z*^  ends  in  »±,  since  by  the  restriction  to  complementable  clauses,  ±  cannot 
occur  as  an  assumption. 

Case:  _  _ 

F;  V  hp  [a]Ni  =  M„  F;  Z>  hp  [cj]H 

j+  ^ - ! — - - - » 

F;P  hp  V(g  Nl  ^  H)»q  Mn 
and  X^  ends  in  F;P  hp  NotD(V(g  Sn  G))»“'9  ^n- 


F;Php  [a]Nl  =  Mn 

F;  Z>  hp  ex  =  Mi  (*)  for  some  1  <  i  <  n 

F;Dhp  A7Ze-i-Not(^)^(“'^  <-  T)  AV(-^g  Sn  ^  NotG(G))»--g  AF„ 

Subcase:  F;Z>  hp  A7^€  i-Not(^)  ^  "^)»9 

F;  T>  hp  V(->g  T^J-  T)»g  Mn  for  some  Tn  €  •  h  Not(5n) 

F;Z>  hp  Tn  ^  T)»-'g  Mn  for  some  6 

F;Dhp  [e%  =  M;, 

F;Z>hp  [0]Ti=:  Mi 
1 


By  sub-derivation 
By  sub-derivation 
By  rule  Noto 

By  inversion 
By  inversion 
By  inversion 
By  inversion 
By  inversion 
(*) 
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Subcase:  r;X>  hp  V(”-'g  Sn  <-  NotG(G))>5>“‘5 
T;V\-v  [0']5;=Mn 
T;V\-v  [e']Si  =  Mi 
± 


By  inversion 
By  inversion 
By  inversion 
From  line  (*)  and  Si  rigid. 


No  case  for  1+  ends  in  »  -)►,  X"*  ends  in  >>1:  if  is  the  only  definition  for  g,  then  by  schema 
satisfaction  V(g  <r-  H)  could  not  be  an  assumption. 

No  case  for  ends  in  »  X~  ends  in  >>>±:  ditto. 


Case: 


X+  = 


F; 7)  \~p  Di^Q 
T;V  \-p  {Di  A  D2)^Q 


»Ai 


and  X  ends  in  F;!)  h  NotD(T)')»“iQ: 


F;  V  \-'p  Di  »Q  By  sub-derivation 

1  By  IH  2.2 


Case: 


X+  =■ 


F;P  Kt?  D2»Q 


»A2 


F;  P  hp  (Z)i  A  D2)^Q 
and  X~  ends  in  F;P  I-  NotD(PO»“'0*  Symmetric  to  the  above. 


Case: 


F;  P  hp  NotD(Pi)^‘^^ 


F;P  1-p  NotD(Pi  V  D'2)»-^Q 
and  X“  ends  in  F;P  h  P»Q.  By  IH  2.3 


»Ai 


Case: 


X-  = 


F;Ph7.  NotD(i^2)»^Q 


F;P  NotoCP'i  V  P2)»-0 
and  X”  ends  in  F;P  h  P»(9.  By  IH  2.3. 


»A2 


Case: 


X"  = 


F;P  I-7?  NotD(Pi)^“'Q  F;P  f-7?  NotD(P2)^“’Q 


F;P  bp  NotD(Pi  A  P2)»^<3 
and  X'^  ends  in  F;P  h  By  IH  2.3. 


»V 


2.4  Let  P  C  def(g,P)  and  D'  □  def(g,P).  There  are  two  main  cases,  according  to  whether  P  and  P' 
belong  to  the  same  block  (and  in  this  case  it  suffices  to  consider  P  =  P')  or  not: 

1.  It  is  not  the  case  that  X"^  ::  F;P  bp  D^Q  and  X”  ::  F;P  bp  NotQ:(P)^-iQ.  By  mutual 
induction  on  the  structure  of  X"*"  and  <5"^. 


Case: 


X+  = 


F;  P  bp  [a]Nn  -- Mn  F;  P  bp  [ct]G 


» 


F;Pbp  \f{q  Nn  ^  G)»q  Mn 
and  X“  ends  in  F;P  bp  Nota(V(g  Nn  <-  G))>^“'g 

Si  ::  F;P  bp  [a]G  By  sub-derivation 

F;  P  bp  [o]Nn  =  By  sub-derivation 

(Axedom(r)  ^  ^  Not^(g  A  No4(g  ]^)))  A  V(-.g  1^)  4-  NotG(G)»- 

By  rule  Nota 

F;  V  h-p  [<t]  =  Mi  (+)  for  all  1  <  i  <  n  By  inversion 

r  h  Mj  €  IjiVill  (*)  for  all  1  <  i  <  n  By  inversion 
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By  inversion 
By  inversion 
By  inversion 
Above  line  and  (+). 


Subcase:  ^  e^,  [(T]Ni  rigid: 

T-,V\-vr\-T^ot^iqK)»^q^  __  _ 

Ai<i<n^'^i  -"^i-  •  •  -VZ„:.4„.  -<q  [ej:/Zj]Zn»--9  M„ 

T;!)  \~v  =  Mj 

1 

Subcase:  [(7]Ni  =  e^: 

hp  (Ai<i<n,a:/?»q  No^g  A'n)))»H^g  Mn  By  inversion 

T]V\-'p  Not^(A'n)»~'^  Afn  By  inversion 

r;P  hp  Ai<i<n  A7verhNot(M,)'^(‘’^  [cx/Zi^ IZj]Zn  ^  T)»-ig  M„  By  inversion 

r;P  1-7.  A/ven-NotCMO^^''^  [ea^/Zf,  A/'/Z^jZn  ^  T)»^g  By  inversion 

F;  T>  hp  Mi  =  [6]N  By  inversion 

r  h  Mi  G  ||A^||  for  some  V  G  F  h  Not(Ari)  By  definition  of  ||-|| 

±  By  term  exclusivity  (4.21)  with  line  (*) 


Subcase:  F;I>  h-p  -iV(g  A^n  ^  NotG(G'))»-'g  M„  By  inversion 

F;P  hp  Note  (MG)  By  inversion 

_L  By  IH  1  on  5+ 

Case:  ends  in  »V,»A,»V:  by  IH  2.4.1  similarly  to  case  2.1  with  Nota  in  place  of  Noto- 

2.  It  is  not  the  case  that  X"*”  ::  F;^  hp  D^Q  and  X“  ::  F;D  hp  NotQ;(Z)^)»-i(5.  By  simultaneous 
induction  on  the  structure  of  and  X" : 

No  case  for  X"^  ends  in  »T. 

No  case  for  X"*"  ends  in  »±,  by  restriction  to  complementable  clauses  and  schema  satisfac- 
tion. 

No  case  for  ends  in  »  ->,  X"  ends  in  »J_,  as  above. 

F;  V  hp  [a]Nf  =  14  F;  P  hp  [a]G 

X+  =  - - — - == - ZIZ - 

F;Php  \/(q  Nf  ^  G)»q  Mn 

and  X~  ends  in  F;P  hp  Nota(V(g  Sn  <-  G'))»-'g  M„,  from  a  different  block. 

::  F;P  hp  [a]G  By  sub-derivation 

F;P  hp  [cr]Nf  =  Mn  By  sub-derivation 

F;  V  hp  ( Axedom(r)  ^  ^  Not^ {q  Sn)  A  (A  l<i<n,xR*  q  Not*  (9  5„)))  A  V(-g  Sn)  f-  NotG(G')»-9 

By  rule  Nota  ->»  2/  ^  3: 

F;P  hp  [a]Ni  =  Mi  (+)  for  all  1  <  z  <  n  By  inversion 


Subcase:  [(T]Ni  ^  e^,  [a]A^i  rigid: 

F;  P  hp  F  h  Not^ {q  5n)»-~'g  Mn  By  inversion 

r;i>  Hp  Ai<t<n  VZi:Ai.  . .  ,VZn:  An.-^g  [ea;/Zj]Zn»-'g  M„  By  inversion 

F;  P  hp  63;  =  Mj  By  inversion 

J_  Above  line,  Nj  rigid  and  (+). 

Subcase:  [o'jV'i  =  e^: 

X  Above  line,  eigenvariable  condition  and  (-[-). 

Subcase:  F;P  hp  ->V(g  Sn  ^  NotG(G'))»-ig  Mn  By  inversion 

F;P  hp  M5n  =  Mn  By  inversion 

1  Above  line,  eigenvariable  condition  and  (-f). 


Case: 


X+  = 


F;Php  [a]Nn  =  Mn 


r;Php  [a]G 


» 


F;P  hp  V(g  Nn  ^  G)»q  Mn 

and  X”  ends  in  F;P  hp  '^ota{Tg))y>^q  Mn,  from  a  different  block. 
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T-V  h-p  [<r]G 

r;VhplcT]Nn=M:  _ 

r;T>  \--p  Aa;eclom(r)(Ai<i<n,xfl*9  ^  ^  (T5)>>>-iq'  Mn 


T\V  \-p  [crjA^i  =  Mi  (+)  for  all  1  <  z  <  n 
r  h  Mi  e  IIA^ill  {*)  for  all  1  <  ^  <  n 

[a]Ni  ^  ex,  [cr]iVi  rig^  _ 

T]'D  \~p  r  h  Not^(^  ^n)^'^Q  Mn 

T;T>  h-p  . . .  VZ^ :^n- [ex/Zj]Zn»-^q  Mn 

r^D  hp  Cx  =  Mj 
± 


Case: 


X+  - 


F; D  hp  Di^Q 
T;V\-p  {DiAD2)»Q 


»Ai 


By  sub-derivation 
By  sub-derivation 

By  rule  NotaT 
By  inversion 
By  inversion 

By  inversion 
By  inversion 
By  inversion 
Above  line  and  (+). 


and  X  endsinr;X>l-Nota(i^')»“'Q‘ 

T^V  \~p  Di^Q  By  sub-derivation 

±  By  IH  2.4.2 

Case;  X^  ends  in  :»Ai,»V,  X“  ends  in  »Ai,»V:  analogously  by  IH  2.4.2. 


[T]  By  induction  on  the  structure  of  S~^. 


Case: 

T]V\-p  def{q^V  A  P)»(9 

5+  = -  h  atm 

T-VhpQ 

and  5”  ends  in  T^Vhp  NotG(Q): 

F;  X>  h-p  def (^,  V  A  V)^Q  By  sub-derivation 

T\V\-p  -tQ  By  rule  Note  At 

T\V\-p  def(-^g,'P  A P)»-iQ  By  inversion 


Subcase:  F;I>  h-p  NotD(def(^,  P)) 
± 

Subcase:  T;!?  hp  NotQ;(def(g, P)) 
± 


By  definition 

By  IH  2.Z,  i  €  {1,3}  according  to  D  static  or  dynamic 

By  definition 

By  IH  2.Z,  i  6  {2,4}  according  to  D  static  or  dynamic 


Case: 


5+  = 


F;Php  Gi 


T;V\-p  G2 


F;PI-p  Gi  AGs 


h  A 


and  S  ends  in  F;  V  \-p  NotG(Gi  A  Gs) 


F;PI-^  Gi 
F ;  P  \~p  Gs 

r;P  hp  NotG(Gi)  V  NotG(G2) 

Subcase:  F;P  hp  NotG(Gi) 

_L 

Subcase:  F;P  hp  NotG(G2) 

± 


Case: 


F;Php  Gi 

-  h  V 

F ;  P  hp  Gi  V  Gs 


By  sub- derivation 
By  sub-derivation 
By  rule  NotGA 

By  inversion 
By  IH  1 
By  inversion 
By  IH  1 


and  S  ends  in  F;  P  hp  NotG(Gi  V  Gs) 
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T-,V[-v  Gi 

T;  X>  hp  Note  (Gi )  A  Note  (G2 ) 

r.Php  NotG(Gi) 

X 

Case: 

.  r;PhpG2 

G  = -  h  V 

T;!?  hp  Gi  V  G2 

and  S~  ends  in  T-,V  l-p  NotoCGi  V  G2).  Symmetrical. 

(r,j/;yl);Php  [jy/arjG' 

5+  = -  hV* 

r;PI-p  Vxio.G' 

and  S~  ends  in  T;!?  hp  NotG(V3::a. G'): 

(r,j/:yl);PI-p  [i//x]G' 

(r,y:A);PI-p  NotG([y/a:]G') 

X 

Case: 

T; (DAG')  hp  G' 

<S+  = -  h 

T;  D  hp  G'  -4  G' 

and  <S“  ends  in  T\V  NotG(i^'  G’)\ 


By  sub-derivation 
By  rule  NotaV 
By  inversion 
By  IH  1 


By  sub-derivation 
By  rule  NotoV 
By  IH  1 


F;  {V  A  D’)  hp  G" 
r;Php  D'->NotG(G') 
T\{V^D^)  hp  NotG(G") 
1 


By  sub-derivation 
By  rule  Note  -> 
By  inversion 
By  IH  1 


Case:  The  (dis)equality  case  follows  from  the  decidability  of  the  (dis)equality  judgment. 


□ 


Note  that  the  proof  goes  through  as  there  is  no  ‘bad’  interaction  between  the  static  and  dynamic  definition 
of  a  predicate;  namely  in  sub-case  2.2  there  is  no  overlap  between  a  clause  from  def(g,7^)  and  def(-ig,2)) 
since  in  every  atomic  assumption  there  must  be  an  occurrence  of  a  new  parameter  and  every  term  at  the 
same  position  in  a  program  clause  head  must  be  rigid.  Symmetrically  for  2.3.  Sub-case  2.4  holds  analogously 
to  the  first  case  2.1,  which  is  based  on  term  exclusivity  (Corollary  4.21).  In  the  latter  case,  it  suffices  to 
consider,  for  D  C  def(Qf,  7^),  only  F;  P  hp  D»(5  and  F;  P  hp  NotD(I>)»-i(5,  because  the  positive  definition 
is  a  conjunction,  while  the  negative  one  is  a  disjunction;  2.4  needs  to  discriminate  whether  the  two  dynamic 
assumptions  belong  to  the  same  block:  if  so  the  same  remark  applies.  If  not,  the  (pivot)  eigenvariable 
condition  ensures  non-overlapping. 

The  condition  for  programs  to  require  clause  heads  with  rigid  terms  may  seem  too  restrictive;  the  natural 
way  to  relax  it,  requiring  that  only  one  of  those  terms  which  occur  in  the  same  position  of  a  parameter  in 
each  assumption  needs  to  be  rigid,  turns  out  to  be  inconsistent;  in  fact,  the  property  needs  to  be  preserved 
in  the  negative  program  as  well.  Consider  the  following  counterexample: 

plam  :  p  {lam  E)  {lam  F)  ^xiexp.p  {E  x)  {F  x). 
papp  :  p  {app  E\  E2)  F. 

Augmentation  will  insert  the  clause  V(-ip  x  H  /\^p  H*  x),  which  now  overlaps  with  ->papp.  As  a  result  both 
p  {lam{Xx:exp,  app  x  x))  {lam{Xy:€xp.y))  and  its  negation  are  provable. 

As  we  remarked  earlier,  the  rigidity  condition  applies  only  to  predicate  definitions  which  are  mutually 
recursive  to  non-Horn  ones.  Thus,  any  such  program  which  uses  a  ‘catch-alF  clause  is  those  positions 
is  forbidden;  nevertheless  it  is  easy  to  avoid  catch-all  clauses  via  explicit  coercion  or  (sometimes)  partial 
evaluation.  Finally,  we  remark  that  any  other  (decidable)  condition  which  avoids  overlap  between  static  and 
dynamic  clauses  will  do;  the  one  we  have  proposed  is  statically  checkable,  certainly  not  ‘ad  hoc’  and  has 
been  dictated  by  the  practice  of  logical  frameworks. 
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6.8  Exhaustivity 

Theorem  6.33  (Exhaustivity)  Let  |=5»  augoiV)  and  F;  P  <  iS“ .  For  every  goal  G  such  that  F;  V\G  < 
if  T-,V\/vG  then  F;  P  hp  Note  [G) . 


Proof:  Note  that  F;P  hp  def(-ig,P  AP)»-'(5  iff  so  does  every  disjunct.  We  generalize  this  to: 
1.  If  S-  F;  P  I/p  (?,  then  S+  ::  F;  P  hp  NotcCG). 

2.1  If  P  C  def(<5,P)  I-  ::  F;P  I/p  D»Q,  then  1+  ::  F;P  hp  NotD(P)»-Q. 

2.2  If  P  C  def{Q,P)  I"  ::  F;P  b'p  P»Q,  then  1+  ::  F;P  hp  Nota(P)»-(3. 


The  proof  is  by  mutual  induction  on  the  structure  of  S  and  I  .  We  start  with  part  2.1: 


Case: 

I"  = - »T 

F;PI/p  T»Q 

Then  NotD(T)  =  ±  and 

1+= - »1 

T\V\-'p  _L>>>-«(3 


for  A\eT',V\/T,[e]Nn^  Mn 

J“  = - nz: - >> 

r;P^pV(giV„^C?)»gMn 


for  all(9r;P^^  [6]N^  =  1^ 
for  all  e 

Ej|Not(iV,)||  _  _ 

Mn  =  [^T]5n  for  some  a  and  5^  G  •  H  Not(A^n) 

T\V^'p  Mn  —  _ 

F;  P  hp  V(-'^  5n  ^  T)»“'9  _ 

F;  T>  hp  A^G-i-Not(7^)  '^(“’9  ^  ^ 

1-75  A^€-l-Not(i^)  ‘5'n  T)  AV(-.g  Mn  E- 

F;P  hp  NotD(V(^  Nn  ^  G)»-^q  Mn) 


By  sub-derivation 
By  rule  \/= 
By  definition  of  1|_1| 
By  term  exhaustivity  (4.21) 
By  definition  of  1|-|| 
By  rule  h= 
By  rule  >>>V 

By  appropriate  applications  of  rule 
NotG(G))»~iQ'  Mn  By  rule  »Ai 

By  rule  NotD» 


r;  V  Vv  W^n  ^Mn  F;  P  Vv  W]G 

X  =  - ^ - - -  /&>— ^2 

T;VVv^iQ  ^n^G)»q  Mn 

F;Pb^p[c7]^^^ 

F;Php  [a]Nn=^Mn 
T;V\/vW]G 

F;PhpNotG[^G)  _ 

F;P  hp  V(-'g  Nn  ^  NotG(G))>?>“-'g  Mn 

F ;P  hp  A^€-|-Not(J^)  X)  A  V(— Nn  ^  NotG(G))»-'g  Mn 

F;P  hp  NotD(V(g  Nn  <—  G))^-iq  Mn 


By  sub-derivation 
By  rule  h^^ 
By  sub-derivation 
By  IH  1 
By  rule  » 

By  rule  »A2 
By  rule  Notp 


Case: 


F;P  I/p  Pi»Q 

- /»Vi 

Fj  P  1/p  (Pi  V  D2)^^Q 
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Di»Q 

T'j'Dh'p  NotD(l^i)»“^Q 

F;  7)  h-p  NotD(F)i)  A  NotD(-D2)^“'Q 

F;  P  h-p  NoIdCF^i  V  Il2)^”'Q 


Case: 


Symmetrical  to  the  above. 


F;PI/'pD2»0 

I”  =  -  /&>V2 

F;r>  I/p  (Di  VZ)2)»Q 


Case: 


FjF)  1/p  D\^^Q  Y\Ty  l/p  D2^^Q 

1~  = - A>a 

F;D  I/p  (F)i  AD2)»<3 


F;PI/p  Di»Q 

F;Pb'p  ^2»Q 

F;  P  hp  NotoCF^O^'^Q 

F;P  hp  NotD(F^2)^"~‘Q 

F;P  hp  NotD(F^i)  V  NotD(Z)2)^”'Q 

F ;  T)  hp  Noto (-Di  A  1)2) 


By  sub-derivation 
By  IH  2.1 
By  rule  »Ai 
By  rule  NotoV 


By  sub-derivation 
By  sub-derivation 
By  IH  2.1 
By  IH  2.1 
By  rule  »V 
By  rule  NotoA 


2.2  I  Recall  that  q  stands  for  9  Mi  . . .  Mi-i  M^+i  . . .  Mn,  for  x\A  G  F: 
Case: 


J-  = 


F ;  T)  \/'p  'y q'^q  M®^ 


»T 


T^,Vhv[MiJZn]Zn  =  Ml  _ 

F;P  hp  VZi :  Ai.  . . .  VZn:  An-  ^q  [exlZi]ZnZn'»~^q  Ml 

ri2)hprhNotf(T,)»-.9M> 


By  rule  h= 
By  rule  »V 


Case: 


'y  rule  F  h  Notj, 

T;  V  Vv  Axedom(r)  Ai<i<n,xfiw  Noti(T ,)»-'g  By  appropriate  applications  of  rule  »A 

F;  V  hp  Nota(Tg)»-ig  M^^^  By  rule  NotaT 

x\a  G  F,  for  all  0  F;  P  I/p  A^n  =  Ml 

j-  = - 


r;Pt/pV(giV„^G)»9M« 


for  all  0  F;  P  I/p  [^]Nn  =  5  M^^^  and  x\a  G  F 


By  sub-derivation 


Subcase:  Cx  ^  Ni  rigid  by  definition  for  some  1  <  z  <  n; 

F;  P  hp  [Mfj^]Z;;  ^mT  _  _  By  rule  h= 

F;P  hp  VZi : i4i.  . . .  VZ„:An.-ig  [ex/Zi]Zn»^q  Ml^  •  _  By  rule  »V 

F;Php  VZi :  Ai .  .,,yZn‘An.^q  [6x/Zi]Zfi)^^~'q  Mi^ 

By  appropriate  applications  of  rule  »A 

r;P  l-p  r  h  Not^(g  iv^  _  By  rule  T  h  Not^ 

F;  V  h'p  (Ai6dom(r)  ^  Not^ (q  M„)  A  (Ai<t<n,i/?‘g  ^  ^  Not3.(g  Mn)))  A  V(-'g  Mn)  ■<—  G'»-'5 

By  appropriate  applications  of  rule  >5>A 
r;X>  hp  Nota(V(g  Nn  f-  G))»-'g  Mj^  By  rule  Nota  -> 


Subcase:  Cx  =  [6]Ni,Mj  ^  for  1  <  i,j  <  n,i  ^  i: 
for  all  61  [e]7Vj  56  Mj 
t^Mj^WNjW 
FhMj  G||Not(iV^)ll 

Mj  =  [(7]N  for  some  a  and  TV  G  F  h  Not(A^j) 
F;Php  Mj  =  [a]N 


By  rule  \/= 
By  definition  of  ||-.|| 
By  term  exhaust ivity  (4.21) 
By  definition  of  ||-|| 
By  rule  h= 
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T\V  hp  V(--'g  [ex/Zi,N/Zj]Zn  ^  T)^-^q  By  rule  » 

\-v  AArerhNot(Mj)  [^x/Zi,N/Zj]Zn  ^  T)>>>->g 

By  appropriate  applications  of  rule  »A 
T;V  \-p  Al  <j<n  A  A/'6ri-Not{Mj)  [^x/Zi,  N/Zj]Zn  <-  T)»”ng  Ml^ 

By  appropriate  applications  of  rule  »A 
r;P  \~'p  Not*  (Ar„)»-»g  By  rule  Not* 

(Ai<i<n,./^^,Not*(]^)>>-ngI^ 

By  appropriate  applications  of  rule  »A 

Ti'O  l-p  (A  x€dom{T)  ^  ^  Not^(9  Mn)  A  (Ai<i<„,^fl.-,No4(g  M„)))»-9  Mi 

By  appropriate  applications  of  rule  >>>A 

T;Vhr  (Ax6<iom(r)  ^  t"  Not^(9  M^)  A  (Ai<i<„.xfi<,  Not' (9  A^:)))  A  V(-.g  ^  G’)»^q  Mi 

By  rule  »A2 

T;T>  1-7?  NotQ;(V(g  Nn  <-  G))»-»g  By  rule  Nota 

Case:  _ 


T;VVvW]Nn^Mi  T;VVvW]G 

I-  = - m - = - >>-^2 

r;V\/T^i<lNni-G)»qMi 


T-,VVv  M-Nn  #  Mi 

By  sub-derivation 

T;V^T>  [a]Nn  =  Mi 

By  rule  h^ 

r-,VVvW]G 

By  sub-derivation 

r;l?  h7>  NotGM(G) 

By  IH  1 

r-,V  \-v  v(-g  Nn  <-  NotG(G))»-9  Mi 

By  rule  -4 

T^V  h-p  {/\xedom{r)  ^  ^  Not^ {q  Mn)  A  {/\i<i<n,xR'q 

Not*  (g  ]i4)))  A  V(-g  G'»-g  Mf^ 

By  rule  »A2 

T;V\-P  Nota(V(g  <-  G))»^q  M^ 

By  rule  Nota 

TyD  \/'P  Di'^Q 

X  = - >>Vi 

T’V\/T,{D,yD2)»Q 

r;X>  I/p  Di»(3 

r;X>  hp  NotQ;(^i)>5>'-'(3 

F;  P  hp  N0tQ;(Pi)  A  NotQ;(P2)^“’Q 

F;  V  hp  NotaCPi  V 


By  sub-derivation 
By  IH  2,2 
By  rule  >>>Ai 
By  rule  NotaV 


Case: 


Symmetrical  to  the  above 


F5P  I/p  D2^^Q 

X  = -  /=^V2 

F;P/p(PiVP2)»Q 


Case: 


F;PI/p  Pi»Q  F;PI/p  P2»Q 

= - /fe>A 

F j  P  I/p  (Pi  A  P2)^^Q 


F;P  I/p  Pi»(5 

FjP  I/p  P2^^Q 

F;P  hp  Nota(Pi)»~'Q 

F;P  hp  NotQ;(P2)»”^Q 

F;P  hp  NotQ;(Pi)  V  NotQ;(P2)»”'Q 

F;P  hp  NotQ/(Pi  AP2)»‘^(5 


By  sub-derivation 
By  sub- derivation 
By  IH  2.2 
By  IH  2.2 
By  rule  >$>V 
By  rule  NotnA 


0 
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Case: 

T]V\/-pM{Q,V  hV)y>Q 

S  = -  W  atm 

T-,V\/t,Q 


Subcase:  D  C  def{Q^'P) 

F;D  I/p  D»Q 

By  sub-derivation 

F;D  hp  NotD(D)55>“'Q 

By  IH  2,1 

F;  D  hp  def(“>G,  V)y>~'Q 

By  repeated  applications  of  rule  »V 

F;DhpNotG(G) 

By  rule  h  At 

Subcase:  D  C  def{Q,T>) 

F;D/pD»Q 

By  sub-derivation 

F;  D  hp  Nota:(D)>6>~'Q 

By  IH  2.2 

F;Dhp  dei(-oQ,V)»^Q 

By  repeated  applications  of  »V 

F;Dhp  NotG(Q) 

By  rule  h  At 

Case; 

5"  = -  1/ 1 

V\V\/-p  1 

Then  NotoC-L)  =  T  =  T  and 

5+  = -  h  T 

T-,V\-v  NotG(T) 


Case: 


r;ri/pGi  r;PI/pG2 
r;I?b'p(GiVG2) 


\/v 


r;Pt/^,Gi 
T-,V\/t>G2 
T\V\-p  NotG(Gi) 

F;  2?  hp  NotG(G2) 

F;  Z?  hp  NoIg  (Gi  )  a  Note  (Go) 

V'^T)  hp  NotG(Gi  V  G2) 


Case: 


F;Pb^pGi 
F;I?b'p(Gi  AG2) 


l/Ai 


FiPb'pGi 

F;PhpNotG(Gi) 

F;P  hp  NotG(Gi)  VNotG(G2) 
F;  T)  hp  NotG(Gi  A  G2) 


Case; 


Symmetrical  to  the  above. 

Case: 


F;PAl>'  b'p  G' 
F;DAD'  hp  NotG(G') 
F;Dhp  D'  -t  NotG(G') 
F;X>  hp  NotG(F>' G') 


T\T)VvG2 
T-,V\/v  (Gi  AG2) 


1/  A2 


F; DAD' 1/p  G' 

<S  = -  / 

F;DI/pD'^G' 


By  sub-derivation 
By  sub-derivation 
By  IH  1 
By  IH  1 
By  rule  h  A 
By  rule  NotGA 


By  sub-derivation 
By  IH  1 
By  rule  h  V 
By  rule  NotoV 


By  sub-derivation 
By  IH  1 
By  rule  h-^ 
By  rule  NotG  -t 
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T-,V\fp'ix-.a.G' 

{V,y.a)-,V\/j,  [ylx\G' 

(r,y:o);I>  hp  [y/iJNotoCG') 

(r,y:a);P  h,,  Vx:a.NotG(G') 

T\V\-v  Note  (Vi:  a.  G') 

Case:  (dis)equations:  immediate. 


By  sub-derivation 
By  IH  1 
By  rule  h  V 
By  rule  NoteV 


□ 


Corollary  6.34  Clause  complementation  satisfies  the  boolean  rules  of  negation. 


6.9  Refinements 

In  the  following  sections  we  will  move  towards  an  operational  semantics  for  our  language. 

6.9.1  More  on  Termination 

We  prove  that  clause  complementation  preserve  termination,  so  that  a  negative  program  can  be  used  as  a 
decision  procedure  if  so  is  its  positive  counterpart.  First  some  preliminaries:  define  Not(il)  as  follows: 

Not(-)  =  • 

Not(i?, Gi  ^  G2)  —  Not(iZ), Note (Gi)  -<  NotG(^52) 

Observe  that,  by  the  restriction  to  clauses  of  the  form  y{Q  ^  G),  it  is  sufficient  to  consider  only  well-ordering 
on  goals.  It  is  clear  that  negation  is  preserved  under  relation  union,  that  is: 

Not(i?i,i?2)  =  Not(jf?i),Not(i?2) 

We  will  also  need  the  following  technical  Lemma,  stating  that  goal  complementation  commutes  with  substi¬ 
tution: 

Lemma  6.35  Let  T  6  :  T  NotG([<9]G)  =  T\-^  [e]NotG(G). 

Proof:  By  a  simple  induction  on  the  structure  of  the  derivation  of  T  NotG(G).  □ 

Lemma  6.36  If  [R]  is  well-founded,  so  is  [Not(ii)]. 

Proof:  Suppose  [Not(i?])  is  not  well-founded.  Then  there  is  an  infinite  descending  chain  . . .  ^  [0]Gi 
[0]G2  [0]Gi.  By  definition  of  Not(i?)  there  is  G\  such  that  NotG(G-)  =  Gi  and  that  G-  -<  G-_i  G  R  for 

some  i  G  u;.  Since  by  Lemma  6.35  NotG([^]Gi)  =  [0]NotG(Gi),  then  [i?]  allows  an  infinite  descending  chain 
. . .  -<  [0]Gi  <  <  [0]G2  ^  [^]Gi^  impossible.  □ 

The  final  piece  is  to  show  that  the  relation  induced  by  the  complement  of  a  program  is  the  complement 
of  the  relation  induced  by  the  program  itself. 

Lemma  6.37 

1.  then  NotD(T>)  Not(R). 

2.  Ifa.-.ThD^R  then  T  h  Nota(T>)  Not(R). 

3.  If-y.:r[-G=URthenr\-  NotoCG)  Not(R). 

Proof:  By  induction  on  the  structure  of  the  given  derivations.  We  prove  some  selected  cases: 
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Case:  tt  ::  T  •;  NotD(T)  =  ±  •  =  Not(-). 

Case:  tt  ends  in  V(^  G)  [p]G  •<  [p]q  Mn,  for  a  global  substitution  p: 


.  h  [p]G  ^  R 
.  h  NotG([p]G) 


Not(R) 


Not(i?),Not(G)  -ig  Mn 


V(-g  Mn  ^  NotG(^ 

Ay^eNot(A^)  =>  •  _ 

A7^GNot(Af;:)  a  v(-g  NotG(G)) 

Aiv^ewo^  iVn))  A  v(-.g  ^  N^(G)) 

NotD(V(g  Mn  ^  G))  ^  Not(R,G  ^  -g  M„) 


By  sub“derivation 
By  IH2 
By  rule 
By  rule  A 

Not(/?),  Not(G)  -ng  Mn  By  rule  A 

^  Not(jR),  Not(G)  ^  NotG(g  Mn)By  rule  NotGAt 

By  def.  of  Not(R) 


Case:  'j  ::  Q  •;  NotD(Q)  =  ‘^Q  *  =  Not(*). 

Case:  7  ends  in  F  h  Gi  A  G2  7?!,  7^2 ^  Gi  -<  Gi  A  G2,  G2  -<  Gi  A  G2' 

r  h  Gi  Ri  and  F  K  G2  R2  By  sub-derivation 

F  I-  NotG(Gi)  Not(iii)  and  F  h  NotG(G2)  ^otciRo)  By  IH  2 

F  h  Not(Gi)  VNotG(G2)  Not(i?i),Not(fi2), 

NotG(Gi)  -<  NotG(Gi)  V  NotG(G2),  NotG(G2)  -<  NotG(Gi)  V  NotG(G2)  By  rule 

F  1-  Not(Gi  AG2)  ^  Not(Ri),Not(i?2), 

NotG (Gi )  -<  NotG (Gi  A  G2),  NotG (G2)  -<  Not(Gi  A  G2)  By  rule 

F  1-  Not(Gi  A  G2)  Not(Ri,  /^25  Gi  Gi  A  G2, G2  X  Gi  A  G2)  By  union  and  def.  of  Not(i?) 


□ 


Corollary  6.38  IfV  is  terminating,  so  is  NotoCT^)- 

Proof:  By  definition,  V  lifT  R  and  [i^]  is  well-founded:  by  Lemma  6.37  NotoCP)  Not(/?)  and  by 
Lemma  6.36  [Not(R)]  is  well-founded.  Thus  NotD('P)  i  •  □ 

6.9-2  Elimination  of  V 

We  now  show  how  to  eliminate  the  V  operator  preserving  provability;  this  will  recover  uniformity  in  proof- 
search.  We  generalize  the  approach  in  [BMPT90],  where  the  operation  was  defined  as  follows:  for  mi  :  Qi  i~ 
Gi  and  m2  :  Q2  ^  G2: 

mi  V m2  =  0{Qi<^GiAG2)  'where  0  =  mgu{Qi,Q 2) 

As  we  remarked  earlier,  the  V  operator  was  introduced  to  preserve  the  duality  under  negation  between 
conjunction  and  disjunction  in  clauses.  Its  use,  as  a  clause  constructor,  is  limited  to  clauses  in  the  same 
predicate  definition  and  therefore  it  can  be  eliminated  simulating  unification  in  the  definition.  Yet,  the  strict 
higher-order  unification  problem  is  quite  complex  and  potentially  even  more  so  complicated  by  the  mixed 
quantifier  structure  of  HHF,  though  this  is  not  the  case  for  our  language,  which  does  not  have  existentials. 
Moreover,  we  have  already  in  our  language  variable-variable  (dis)equations  stemming  from  left-linearization 
and  normalization  of  input  variables.  Finally,  we  have  defined  unification  of  simple  terms  in  Section  4.3  as 
an  intersection  operation.  This  has  greatly  simplified  the  presentation,  but  does  not  immediately  give  us  a 
notion  of  most  general  unifiers  seen  as  sets  of  substitutions.  We  thus  choose  to  compile  our  source  into  an 
intermediate  language  which  makes  unification  problems  explicit  as  simple  equational  problems  in  the  style 
of  the  unification  logic  introduced  in  [Pfe91a].  We  can  perform  unification  as  constraint  simplification  as 
used  in  Elf  [Pfe89]  and  Twelf  [SP98]  in  a  later  stage  that  we  do  not  describe  here. 

We  adapt  the  residuation  technique  used  in  [Pfe92]  to  compile  immediate  implication  into  resolution.  We 
define  the  judgment  DiV  D2\D  in  Figure  6.14  by  simultaneous  induction  on  Di  and  D2,  with  the  intended 
meaning  of  V  D2  compiles  to  D\ 
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TV£)\T 


•VTD 


D  VT\T 


VDT 


±\/D\D 


■WLD 


DV±\D 


VDl 


V(5  Ni  i —  Gi )  V  V(5  N2  ^  G2)  \  ^iQ  —  (-^1  —  ^2)  A  Gi  A  G2) 


vAtAt 


-  VAtAt  ^ 

V(g  iVi  ^  Gi)  V  V(g'  N2  ^  G2)  \  T 

DiyD2\D  D[yD2\D^  DiyD2\D  D[yD2\D^ 

yyL  - VAL 


[D^y  D[)y  D2\Dy 
DiyD2\D  D[yD2\D' 
D2y{DiyD[)\DyD' 


{DiAD[)yD2\DAD' 

DiyD2\D  D[yD2\D' 

yyR  - vajR 

D2y{DiAD[)\DAD^ 


Figure  6.14:  V-Elimination:  Pi  V  D2  \  ^ 


Example  6.39  Continuing  Example  6.25,  recall  that: 

'Notx){cloz)  = 

yP'.exp.  -^closed  {lam  F)  A  {yFi,F2:exp.-^closed  {app  Fi  F2)). 

Noto  (c/o/om)  = 

^closed  z  A  VFi,  F2  :exp.  -^closed  {app  F\  F2)  A 
yE:exp.->closed  {lam  E)  yxiexp.  {closed  x  -tclosed  {E  x)). 

Removing  trivially  unsatisfiable  clauses,  the  computation  of  {cloz)  V  NotD(c/o/am)  \P  results  in: 

VP: exp.  -^closed  {lam  E)  (Vx:exp.  dosed  x  -^closed  {E  x))  A 
VPi ,  F2 :  exp.  -^dosed  {app  Fi  F2). 

Going  back  to  the  linx  example: 

Notx){linxx)  V  NotD(imxapl)  = 

(-'/mx(Ax .  app  (Pi  x)  (P2  x))  A  '^linx{Xx .  lam{Xy .  (P  x  i/))))  V 

(-i/mx(Ax .  x)  A  -nZmx(Ax .  lam{Xy .  (P  x  y)))  A  ~->linx{Xx .  app  (Pi  x)  (P2  x^)) 

A -^linx{Xx .  app  (Pi  x)  (P2  x^))  -^linx{Xx.Ei  x)) 

NotD(/«^a:x)  V  Notu{liTixapl)  \  D,  where 

D  = 

-i/mx(Ax.app  (Pi  x)  (P2  A 

-i/mx(Ax . app  (Pi  x)  (P2  x*^))  i-  -'/mx(Ax  .Pi  x)  A 

^/mx(Ax .  lam{Xy .  P  x  y)). 

The  following  lemma  guarantees  that  compilation  preserves  run-time  immediate  entailment: 

Lemma  6.40  Let  Pi  V  P2  \  D:  for  every  ground  substitution  T  h  6  :  T;V  h  [0]{.Di  V  P2)»(3  iff 

T;Vb[e]D»Q. 
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Proof:  (->).  By  induction  on  the  structure  of  tt  ::  Di  V  D2\  D. 


Case:  tt  ends  in  VTZ),vAtAt  trivially  true. 
Case:  tt  ends  in  V±£),VAtJ_:  immediate. 


Case: 


V(g  Ni  ^  Gi)  VV(g  TVs  G2)  \V(g  TVi  4-  (TVi  =  TV2)  AGi  AG2) 


Vatm 


T]V  \-'p  [^](V(g  TVi  Gi)  VV(g  TVs  G2))»g  TV  By  hypothesis 

V]V  1-7?  [0](V(g  TVi  4-  G\))y>q  TV  and  [^](V(g  TVs  G2))»g  TV  By  inversion 

r;D  hp  [6  '  ai]Ni  =  TV  and  T]'D\-p  [6  •  ai\G\  By  inversion 

F;  V\~'p[6  '  asjTVs  =  TV  and  F;  P  I-7?  [0  •  crsjGs  By  inversion 

F;  P  hp  [0  •  crijTVi  =  [6  •  ^7s]TVs  By  replacement 

F;  P  f-p  [0  '  (Ji  •  o-sJTVi  =  [0  •  (Ti  •  ctsJTVs  A  [0  •  cti  •  c72]Gi  A  [0  •  ai  •  asJGs 

By  composition  of  ground  substitution 
r;P  hp  [e]{W{q  TVi  (TVi  =  TVs)  A  Gi  A  G2))»g  TV  By  rule 


Case:  tt  ends  in  VAtA,  VAtV,  VA,  VV:  by  an  immediate  appeal  to  the  IH. 

(f-*):  similarly.  □ 


We  remark  that,  using  again  terminating  programs,  the  above  Lemma  covers  immediate  denial  as  well. 
We  now  extend  the  effect  of  the  above  compilation  on  a  program: 

Definition  6.41 


{T)Vo 

T 

(i)V. 

± 

(V(Q  ^  G))''^ 

V(Q^(Gr-) 

(Di  A£»2r° 

= 

A  {D2r^ 

{DiVD^r-^ 

= 

D 

{xy<= 

=: 

X 

(Gi  AG2r‘^ 

= 

(Gi)^«  A(G2r<^ 

(GiVG2)'^° 

V  (G2)''° 

(D  G)'''^ 

{Dy‘>  (GY° 

(Vx:a. 

= 

Vx:a.  {GY° 

where  (Pi)^^  V  (P2)^^  \  D 
X  e{T,l,Q,(dis)eq} 


Theorem  6.42  (Elimination  of  V)  For  every  ground  substitution  F  h  ^  $ 

1.  <S  ::  F;  P  hp  [0]G  iff  (5)^)  ::  F;  {[e]Vy^  bp  ([^]G)^^  ; 

2,  X::  r;Ph7>  [0]D»Q  iff  {I)^  ::  \-v  {[0]Vy^»Q. 


Proof:  (->►).  By  a  straightforward  mutual  induction  on  the  structure  of  the  given  derivations:  we  show  the 
crucial  case. 

Case:  (J)^  ends  in 

r;P  \-'p  [0]Pi»(3  and  r;P  Ft?  [0]P2»Q  By  sub-derivation 

F;  {[e]vy^  \-v  {[e]Diy^»Q  and  F;  {[e]Vy^  hr  {[e]D2)^^»Q  By  IH  2 

F;  {[e]VY^  Ft?  {[e]Diy^  V  {[e]D2)^^»Q  By  rule  »V 

F;  ([6>]P)''^  Ft?  [9]{Di  V  P2)''"^  »Q  By  Lemma  6.40 


□ 


(<-).  Similarly. 
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The  same  remark  w.r.t.  termination  applies. 

We  finish  up  this  Chapter  by  completing  our  two  running  example,  where  in  a  final  pass  we  have  also: 

•  Renamed  negative  predicates  with  more  suggestive  names. 

•  Removed  irrelevant  occurrences  of  T. 

•  Hidden  the  irrelevant  augmentation  in  the  final  negative  clause. 

•  Brought  clauses  to  the  ‘core’  languages  syntax,  as  in  LF. 

Example  6.43  Concluding  Example  6.25  and  6.39  the  final  definition  of  -^closed  is: 

oplam  :  "iE:  exp.  open  {lam  E)  <-\/x:exp.  open  {E  x). 

opapl  :  VEi ,  E2 :  exp.  open  {app  Ei  E2)  ^  open  Ei . 

opap2  :  "^E\^E2'.  exp.  open  {app  E\  E2)  ^  open  E2. 

where  we  have  hidden  the  irrelevant  assumption  closed  x  in  oplam  and  renamed  ‘-^closed^  into  open. 

Example  6.44  The  final  definition  of  linear  and  in  turn  -^linx  is: 


-tlinappl 

-ylinapp2 

-ilinlaml 

-ilinlam2 

—tlinxapl 

-\linxap2 

-^linxapZ 

-ilinxapA 

->linxlm 


-^linear{app  F  G)  <-  ->linear{F). 

-^linear {app  F  G)  ^  -ilinear{G). 

-^linear {lam  Xx  .E  x)  ^linx{Xx  .Ex). 

-^linear{lam  Xx  .E  x) 

^  {\/y:exp.  {-ilinx{Xx  .y)  A  linear{y))  -^linear{E  y)). 
-^linx{Xx .  app  {F  {G  x^)). 

-ilinx{Xx .  app  {F  x^)  {G  x)®). 

~i/mx(Ax.app  {F  x^)  (G  x^))  4-  -n/mx(Ax.F  x^). 

‘-^linx{Xx .  app  {F  x^)  {G  x^))  -iZmx(Ax.G  x^). 

“i/mx(Ax .  lam{Xy .  E  x  y)) 

{\/y:exp.  -^linx{Xx .  y)  -^linx{Xx .  E  x  y)). 


6.10  Summary 

In  this  Chapter  we  have  given  a  complement  algorithm  for  a  significant  fragment  of  third  order  Hereditary 
Harrop  Formulae,  by  adapting  the  idea  of  elimination  of  negation  introduced  in  [ST84]  for  Horn  logic. 
This  has  the  neat  effect  that  negation  and  its  problems  are  eliminated,  i.e.  we  avoid  any  extension  to  the 
(meta)  language.  This  has  entailed  finding  a  middle  ground  between  the  Closed  World  Assumption  usually 
associated  with  negation  and  the  Open  World  Assumption  typical  of  logical  frameworks.  Our  solution  is  to 
restrict  the  set  of  programs  we  deem  deniable  in  a  novel  way,  so  as  to  enforce  a  Regular  Word  Assumption 
(RWA):  we  define  a  class  of  programs  whose  dynamic  assumptions  extend  the  current  database  in  a  specific 
regular  way.  Technically,  this  regularity  under  dynamic  extension  is  calibrated  so  as  to  ensure  that  static 
and  dynamic  clauses  never  overlap.  This  property  extends  to  the  negative  program;  in  a  sense,  we  maintain 
a  distinction  between  static  and  dynamic  information,  but  at  a  much  finer  level,  i.e.  inside  the  definition 
of  a  predicate.  The  resulting  fragment  is  very  rich,  as  it  captures  the  essence  of  the  usage  of  hypothetical 
and  parametric  judgments  in  a  logical  framework;  namely,  that  they  are  intrinsically  combined  to  represent 
scoping  constructs  in  the  object  language. 


Chapter  7 

Conclusions  and  Future  Work 


The  importance  of  higher-order  logical  frameworks  and  logic  programming  languages  that  depend  on  in- 
tuitionistic  logic,  open- world  assumptions  (changing  contexts),  and  lambda-abstractions  is  becoming  more 
apparent  and  their  use  more  widespread.  Recent  research  is  attempting  to  increase  their  expressivity,  while 
preserving  the  conciseness  and  elegance  of  their  representation  techniques.  The  issue  of  negation  has  to  be 
appreciated  in  that  context.  A  good  understanding  of  negation  in  such  settings  will  significantly  enhance 
the  expressive  strengths  of  such  specification  languages. 

In  this  dissertation  we  have  presented  a  solution  to  this  long-standing  issue  in  logical  frameworks  endowed 
with  a  logic  programming  interpretation.  The  solution  offered  by  our  approach  has  the  net  (and  neat)  effect 
that  negation  and  its  problems  are  eliminated^  i.e.  we  avoid  any  extension  to  the  (meta)  language. 

Although  the  transformational  approach  to  negation  has  been  investigated  in  traditional  logic  program¬ 
ming,  this  is  a  novel  approach  to  addressing  negative  information  in  the  higher-order  intuitionistic  setting. 
Many  of  the  techniques  from  Horn  programs  do  not  carry  over  directly,  so  creative  solutions  had  to  be  found 
to  adapt  the  idea  to  the  higher-order  setting.  In  particular,  we  had  to: 

1.  Formulate  a  strict  A-calculus  to  obtain  closure  under  term  complement  of  the  source  language. 

2.  Find  a  notion  of  negation  normal  forms  which  is  compatible  with  the  operational  semantics  required 
by  Hereditary  Harrop  Formulae  (HHF). 

3.  Introduce  the  Regular  World  Assumption  (RWA)  as  a  way  to  reconcile  the  intrinsic  tension  between 
the  Closed  World  Assumption,  associated  with  negation,  and  the  Open  World  Assumption  typical  of 
languages  with  embedded  implication. 

Elimination  of  negation  is  particularly  tuned  to  logical  frameworks:  although  the  problems  connected 
with  negation  are  analogous  in  logical  frameworks  and  logic  programming,  the  solution  does  not  need  to 
be  the  same.  In  this  sense  our  approach  is  not  a  panacea.  For  example,  it  is  definitely  non  appropriate 
in  presence  of  even  a  small  database  of  facts.  Although  the  typing  discipline  goes  a  long  way  to  limit 
the  combinatorial  explosion  of  negative  facts,  often  a  different  approach  is  more  fruitful;  consider  a  small 
database  recording  the  age  of  some  people.  It  would  be  painful  to  negate  say  age  k  by  inferring 

non-age  k  0.  ..non-age  k  s^^(O) ,  non-age  k  s^^(X).  In  this  case  the  use  of  some  form  of  constructive 
negation  is  preferable,  possibly  in  the  form  of  disequations,  i.e.  non-age  k  Z  Z  ^  s^'^(O).  This  area,  to 
date,  has  not  been  explored  at  all  in  the  higher-order  case. 

Before  discussing  how  to  extend  our  approach  beyond  some  of  the  current  limitations,  we  take  on  again 
the  main  technical  restriction^,  i.e.  to  complementable  programs  as  defined  in  Figure  6.7.  As  we  have 
argued,  the  key  to  a  successful  and  implementable  pairing  of  negation  and  hypothetical  judgments  is  to  keep 
separate  at  any  time  static  and  dynamic  information  in  a  program.  We  have  achieved  this  by  requiring  every 
assumption  to  be  parametric,  a  property  which  is  preserved  by  the  negative  program.  The  eigenvariable 
condition  enforced  by  the  operational  semantics  of  HHF  together  with  the  rigidity  restriction  does  the  rest. 


^  We  discuss  the  issue  of  local  variables  later,  see  Subsection  7.1.4. 
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We  have  argued  that  this  restriction  is  a  most  natural  one  w.r.t.  the  intended  application;  in  our  experience, 
it  covers  the  overwhelming  majority  of  actual  Twelf  and  AProlog  code.  This  of  course  does  not  mean  that 
there  are  no  useful  programs  which  lie  outside  of  this  class;  it  is  indeed  entirely  possible  to  use  hypothetical 


judgments  in  isolation  from  parametric  ones.  We  have  noted  in  Section  5.4  how  sometimes  this  can  be 
avoided  by  resorting  to  a  finer  notion  of  context  such  as  the  one  offered  in  linear  logic.  Otherwise,  it  is 
always  possible  to  eliminate  the  offending  implications  by  introducing  an  explicit  management  of  contexts. 
For  instance,  we  can  revisit  Example  5.1  and  transform 

impi  : 

nd{A  imp  B)  <-  {nd{A)  nd{B)). 

into: 

impi^ 

:  nd{A  imp  B)  nd2{A,  B). 

impil 

:  nd2{A,A). 

impi2 

:  nd2{C,A  imp  B)  nd2{C,B). 

impi3 

:  nd2{C,A  imp  B)  i-  nd2{A,B). 

Although  this  goes  against  the  spirit  of  logical  frameworks  based  on  intuitionistic  logic  programming  which 
owes  part  of  its  success  to  the  capability  of  representing  object-logics  contexts  via  the  meta-level  scoping 
mechanism  of  embedded  implication,  this  is  not  unheard  of,  and  it  is  actually  proposed  (for  different  reasons) 
in  [MM97],  Besides,  this  transformation  will  of  course  be  localized  only  to  those  predicates  we  need  to 
complement. 


7.1  Lifting  Restrictions 

We  now  address  some  of  the  restrictions  which  can  in  fact  be  lifted;  in  doing  so,  we  will  consider  an  example 
which  is  not  currently  treated: 

Example  7.1  Consider  the  following  extension  of  the  copy  clauses  to  a  third  and  fourth  order  constructs, 
respectively  callcc  and  reset: 


callcc 

reset 

cpcallcc 


cpreset 


{{exp  exp)  ^  exp)  exp.  ■ 

{{{exp  — exp)  exp)  — exp)  exp 

cp  {callcc  Xc'.exp  exp.E  c)  {callcc  Xdiexp  oxp.F  d) 

^  (Vc :  exp  — >  exp. 

(Vx :  exp.  Vt/ :  exp.  cp  (c  x)  (c  y)  ^  cp  x  y) 
cp  {E  c)  {F  c)). 

cp  {reset  Xf :  {exp  ->  exp)  exp.  E  f)  {reset  Xg :  {exp  — >  exp)  exp.  F  g) 

(V/ :  {exp  — >  exp)  exp. 

(Vc,  d:exp  — ^  exp. 
cp  if  c)  if  d)) 

<-  {Wx,y:exp.cp  x  y  cp  {c  x)  {d  y)) 

^  cp  {E  f)  {F  /)) 


7.1.1  Parameters  Restrictions 

The  restriction  to  parameters  of  base  type  seems  to  be  the  less  complicated  to  lift,  if  we  still  require  them  to 
occur  only  in  head  position.  We  thus  would  redefine  the  class  of  Shallow  Parameter  Expressions  {SPE)  as: 

SPE  Cx 


x  :  A  \  Xx  .Cx  \  {Cx  M)^ 
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This  will  allow  to  complement  the  third-order  cpcallcc  clause: 

c:exp  exp  h  Nota  (Va:,  y :  exp.  cp  {c  x)  {c  y)  <r-  cp  x  y)  — 

V(-'cp  (c  x)  {lam  E)  A  -icp  (c  x)  {app  Ei  E2)  A 
->cp  {lam  F)  {c  y)  A  -^cp  {app  Fi  F2)  (c  y)  A 
->cp  (c  x)  (c  ?/)  -icp  a:  t/)- 

The  condition  for  parameter  to  occur  at  head  position  instead  is  orthogonal,  since  it  is  a  sufficient 
condition  for  maintaining  non-overlapping  between  dynamic  and  static  clauses;  that  is,  of  course,  the  main 
technical  idea  behind  the  exclusivity  proof.  A  clause  can  indeed  be  complementable^  i.e.  every  assumption 
is  parametric,  but  if  the  eigenvariable  does  not  occur  in  head  position  in  the  assumption,  then  the  non¬ 
overlapping  requirement  may  not  be  immediately  verifiable.  If  we  can  detect  by  static  program  analysis  or 
by  any  other  means  that  no  overlapping  will  result,  then  those  clauses  too  can  be  promoted. 

7.1.2  Extension  to  Any  Order 

We  currently  treat  only  the  third-order  case,  that  is  we  allow  HHF  which  only  make  Horn  assumptions. 
In  this  way,  generally  speaking,  judgments  on  goals  are  only  trivially  recursive  with  the  ones  on  clauses, 
since  the  latter  would  not  make  any  new  assumption.  Allowing  arbitrary  assumptions  requires  instead  this 
recursion  to  be  unbounded.  In  general,  most  of  the  times  we  simply  need  to  modify  those  judgments  by 
passing  around  their  contexts.  To  be  concrete,  let  us  consider  for  instance  the  issue  of  schema  extraction; 
in  the  n-ary  case,  schemata  ought  to  be  hereditarely  closed.  In  fact,  if  a  HHF  belongs  to  a  schema,  the 
latter  ought  to  take  into  account  any  further  assumption  that  the  former  may  yield.  The  aforementioned 
modifications  of  the  extraction  judgments  in  Figure  6.5  will  do  the  trick: 

T;VhG^Si  r;V\~  D^S2 

_  D  _ ^ 

r;PI-  (G->  D)  ^5i||52 


T-,(VAD)hG^Si  T-,V\-D=^S2 

- - =^-> 

r;PhP-4G=^<Si||<S2 

For  example  we  can  extract  the  following  schema  from  the  extended  definition  of  cp: 

def (cp)  X  :  exp;  cp  x  xl| 

c  :  exp  exp;  i^x^yiexp.  cp  x  y  cp  {c  x)  (c  y))\\ 
f  :  (exp  — >  exp)  exp;  {Wc^diexp  exp.  cp  (/  c)  (/  d)  <r- 

(Vx,  y :  exp.  cp  x  y  -y  cp  {c  x)  {c  y))) 

In  this  case  only  the  schema  alternative  induced  by  the  cpreset  clause  needs  to  be  hereditarely  closed  with 
x:exp;cp  x  x;  but  this  is  already  provided  by  the  (schema  extracted  from  the)  cplam  clause. 

Similar  changes  apply  to  the  other  judgments;  in  particular,  augmentation  is  generalized,  so  that  goals 
which  can  make  dynamic  assumptions  will  be  recursively  augmented  as  well.  Formally: 

F;  P  h  au9r,{D)  =  F;  {V  A  D)  \-  augo{G)  =  G^ 

— — - aupQ  — y 

F;  P  I-  augG{D  G)  =  G^ 

We  can  therefore  complement  a  fourth-order  clause  such  as  cpreset,  where,  for  the  sake  of  readability,  we 
have  not  expanded  the  calls  to  Nota(P): 

-^cpreset  :  ->cp  {reset  A/: (exp  exp)  exp. E  f)  {reset  Ap: (exp  exp)  — >•  exp. F  g) 
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7.2.2  Richer  Type  Theories 

The  approach  we  have  chosen  is  tailored  to  satisfy  the  requirements  of  more  complex  logical  frameworks 
than  Lx;  thus,  we  now  mark  some  observations  on  how  elimination  of  negation  can  be  extended  to  those 
type  theories. 

Polymorphism 

Different  degrees  (in  the  A-cube)  of  polymorphism  have  been  advocated  as  a  feature  in  logical  frameworks. 
Of  course,  the  more  expressive  the  type  theory,  the  more  complicated  its  meta-theory.  Pfenning  has  given  an 
algorithm  for  patterns  unification  and  generalization  in  the  Calculus  of  Constructions  [Pfe91b].  Even  if  we 
stick  to  the  fully  applied  case,  term  complementation  may  be  fairly  difficult  to  achieve  in  general.  Languages 
such  as  AProlog  instead  offer  the  more  manageable  prenex  (ML-like)  polymorphism.  In  this  case,  a  version 
of  term  complementation  able  to  deal  with  polymorphic  constructors,  such  as  a  polymorphic  cons,  should  be 
feasible.  In  many  ways,  the  problems  are  analogous  to  negation  in  presence  of  predicate  quantification  (see 
next  entry  7.2.3),  namely  the  tension  between  a  static  operation  such  as  complementation  and  the  possible 
instantiations  offered  by  polymorphism. 

Dependent  Types 

Almost  all  the  design  decisions  we  have  taken  while  addressing  the  issue  of  negation  in  a  logical  framework 
have  been  motivated  by  the  ease  to  extend  the  latter  to  a  framework  such  as  LF /  Twelf.  The  very  idea 
to  allow  negation  by  elimination  owes  to  the  requirment  to  preserve  the  adequacy  of  the  extraordinary 
representation  power  of  dependent  types,  while  at  the  same  time  avoiding  to  interfere  with  the  underlying 
logic  programming  engine,  which  makes  Twelf  a  unique  unified  meta-language  for  the  theory  and  meta¬ 
theory  of  deductive  systems.  While  we  fall  short  in  this  dissertation  to  addressing  dependent  types  directly, 
we  believe  that  the  machinery  we  have  developed  is  robust  enough  for  this  extension.  One  novel  problem 
that  we  can  already  foresee  is  related  to  the  interaction  between  term  complementation  and  empty  types. 
In  the  simply-typed  fragment  we  can  assume  every  type  to  be  inhabited,  but  this  property  is  obviously 
undecidable  in  the  more  powerful  setting.  This  turns  out  to  be  problematic  when  complementing  variables; 
at  first  sight,  it  not  clear  what  the  complement  of  F  h  Not(jE  :  a  M  would  be,  where  the  latter  may  be 
empty.  One  possibility  is  to  restrict  variable  complementation  at  type  a  M,  perhaps  such  that  M  has  no 
internal  structure  at  all,  i.e.  it  is  empty  or  just  a  term  variable;  this  would  cover  all  the  examples  in  this 
dissertation.  Another  one  could  be  ‘approximating’  complementation  in  the  simply-typed  fragment  and  then 
sift  out  the  resulting  complement  set,  in  view  of  dependencies. 

7.2.3  Predicate  Quantification 

In  the  logic  programming  community  the  term  ‘higher-order’  is  usually  identified  with  the  possibility  of  quan¬ 
tifying  on  predicates,  in  the  effort  to  simulate  the  first-class  functions  capability  of  functional  programming 
languages.  This  is  a  sometimes  a  source  of  misunderstandings  (let  me  mention  Hilog  [CKW93]  which  has  a 
higher-order  syntax  and  allows  arbitrary  terms  to  appear  in  places  where  predicates,  functions  and  atomic 
formulas  occur  in  predicate  calculus,  but  whose  semantics  is  strictly  first-order)  and  it  may  be  overrated, 
at  least  as  far  as  logical  frameworks  are  concerned,  as  the  success  of  frameworks  such  as  those  based  on 
LF  testify.  Nevertheless,  this  is  a  useful,  though  not  essential,  feature  and  has  been  utilized  for  example  in 
implementation  of  proof-carrying  code  with  AProlog  [AF99].  Although  we  have  not  investigated  the  issue  in 
depth,  it  seems  that  clause  complementation  can  be  sometimes  applied  in  this  extended  sense.  For  instance, 
let  some  be  a  predicate  of  type  {nat  ^  o)  — )•  natlist  o,  which  selects  the  first  element  in  a  list  of  numbers 
for  which  a  given  predicate  P  :  nat  o  holds: 

shd  :  some  {Xxinat.P  x)  {cons  T  Fs) 

^  (p  r). 

stl  :  some  {Xxinat.P  x)  (cons  Y  Ys) 

^  some  {Xx:nat.P  x)  Ys, 
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The  application  of  our  algorithm  would  yield: 

->5m7  :  -^some  {Xxinat,  P  x)  nil 

:  -isome  {Xxinat.P  x)  {cons  Y  Y s) 

^  NotG(P  Y)  A  ->some  {Xx:nat,  P  x)  Ys. 

Since  we  cannot  foresee  the  structure  of  the  goal  {P  Y)  at  compile-time,  we  delay  the  computation  of 
NotG(-P  Y)  until  the  instantiation  is  known.  Of  course,  we  cannot  allow  unrestricted  instantiations,  but -we 
need  to  restrict  P  to  conform  to  the  possible  context  schema.  This  will  prevent  goals  such  as  some  (Ax  : 
nat.  ~>ei;en(x)  -4  ei»en(s(s(x)))  {cons  0  m7),  which  will  destroy  exclusivity. 

Of  course,  the  above  example  is  too  simple-minded  in  at  least  one  respect;  we  did  not  consider  term 
complementation  on  terms  with  some  internal  logical  structure.  The  only  reason  the  some  predicate  was 
complementable  is  because  the  predicate  occurring  inside  a  term  is  simply  a  variable,  making  term  comple¬ 
ment  trivial.  In  the  general  case,  clause  heads  can  contain  arbitrary  complex  terms  of  type  o.  The  approach 
we  have  developed  so  far  does  not  seem  to  capture  those  phenomena  except  in  the  simplest  form. 

7.3  Implementation  Issues 

A  strict  logical  framework  can  be  directly  implemented  with  very  minor  adaptations  of  well-known  techniques 
used  for  its  linear  cousins  such  as  Lolli  [Hod94,  CHP97]  and  LLF  [Cer96].  Although  we  argue  that  strictness 
is  a  useful  and  ubiquitous  concept  which  deserves  to  be  offered  as  a  primitive  notion  in  a  logical  framework, 
this  is  not  the  only  choice. 

In  fact,  Girard  would  be  quick  to  point  out  that  it  is  not  necessary  to  take  strictness  as  a  primitive  at  all, 
since  linear  logic  is  flexible  enough  to  express  the  notion  of  ‘must  occur’  already.  Indeed,  strict  implication 
can  be  embedded  into  linear  logic  by  simply  defining  A  -4  B  as  A-oA  B,  This  is  of  course  true,  but  notice 
that  while  this  translation  will  indeed  retain  provability,  it  not  faithful  to  the  structure  of  proofs.  Since  in 
a  logical  framework  such  as  LF  we  are  also  concerned  with  the  structure  of  terms,  this  embedding  is  not 
adequate.  For  example,  the  strict  term  Ax^cx^  x^  corresponds  to  both  Xx^Xy^.cx^  and  Xx^Xy^xy^  x^, 
where  the  (_)^  notation  refers  to  linear  abstraction  and  application.  Even  if  we  are  just  considering  proof 
search  (and  not  proof-terms)  there  are  too  many  distinct  derivations  of  A  -oA  ~4  B  when  compared  to 
A  -4  J?.  So  when  we  take  a  theorem  in  strict  logic,  embed  it,  and  run  a  logical  frameworksuch  as  LLF,  we 
incur  into  a  fair  amount  of  additional  non-determinism.  On  the  other  hand,  the  strict  A-calculus  captures 
exactly  the  right  properties  in  an  elegant  way  and  can  be  developed  from  first  principles.  In  summary,  the 
linear  A-calculus  here  does  not  apply;  even  though  it  is  clearly  possible  to  compile  strict  functions  to  linear 
ones,  this  compilation  preserves  only  truth,  but  not  the  structure  of  proofs. 

Moreover,  as  far  as  negation  is  concerned,  we  can  safely  remain  in  an  intuitionistic  setting.  The  drawback 
is  that  we  have  to  decorate  source  programs  whose  clause  heads  (hereditarely)  contain  partially  applied  terms 
with  appropriate  occurrences  of  the  vacuous  predicate  we  have  mentioned  in  Section  2.5.  The  latter,  under 
negation,  is  transformed  in  the  strict  one.  Strict  unification  does  not  need  to  be  considered,  since  every 
term  remains  in  the  fully-applied  fragment. 

For  example,  if  we  are  encoding  a  term  say  '"Ax.e*'  with  the  side  condition  that  x  0  FV{e),  we  usually 
represent  e  with  a  pattern  variable  E,  which  does  not  depend  on  x.  For  example,  reconsider  clause  linxapl: 

linxapl  :  linx{Xx.app  {Ex  x)  E2)  /mx(Ax.jEi  x). 


The  latter  may  be  rewritten  as: 

linxapV  :  /mx(Ax  .  app  {Ex  x)  {E2  x))  ^  vacuous{Xx .  E2  x)  A  /mx(Ax  .Ex  x). 

where  vacuos{Xx.E2  x)  enforces  that  x  does  not  occur  in  E2  x.  The  negation  transformation  will  con¬ 
vert  those  annotations  in  (pre-compiled)  strict  ones.  Pursuing  further  this  example,  the  complement  of 
linxapl'  will  include: 

Notu{linxapl)  :  “i/mx(Ax .  app  {Ex  x)  {E2  x))  ^  strict{Xx .  £^2  2:)  V  -'/mx(Ax  .Ex  x). 
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This  kind  of  decoration  of  programs  is  a  relatively  small  price  to  pay  compared  to  the  hassle  of  imple¬ 
menting  a  strict  calculus,  only  for  the  purpose  of  allowing  full  clause  complementation;  consider  for  example 
the  lack  so  far  of  a  crucial  ingredient  such  as  the  type  reconstruction  algorithm  (although  one  for  a  related 
calculus  is  presented  in  Wright’s  dissertation  [Wri92]).  Moreover,  for  every  signature,  the  definition  of  the 
predicate  vacuous  is  completely  trivial,  while  the  one  for  strict  is  type-directed  and  may  be  automatically 
inferred,  in  the  style  of  Miller’s  copy  clause  [Mil89b].  On  the  other  hand,  this  approach  is  less  workable 
when  lifting  the  restriction  to  ground  goals;  in  the  presence  of  open  queries,  in  fact,  those  annotations  would 
induce  an  undesirable  ‘generate-and-test’  operational  semantics:  for  example,  the  vacuous  predicate  would 
generate  vacuous  terms  to  be  then  checked  for,  in  this  case,  linearity.  It  may  be  possible  to  internalize  the 
strictness  annotations  as  boolean  constraints  [HP97],  in  analogy  to  the  linear  case;  if  so,  that  would  work 
very  well  with  logical  frameworks  such  as  Twelf(X)  [Vir99],  which  have  a  declarative  notion  of  constraints. 

7.4  Additional  Topics 

7.4.1  Higher-Order  Program  Algebra 

Several  authors  have  investigated  the  algebra  of  logic  programs  to  address  modularity  and  meta-level  issues 
[0’K85,  MP88,  SW92].  In  particular  in  [MPRT90a]  the  authors  describe  a  program  algebra  for  Horn  clauses 
without  local  variables  under  clause  complement,  set  union  and  intersection.  Since  they  interpret  negation 
as  finite  failure,  exhaustivity  does  not  hold.  In  fact,  what  they  call  a  “constructive  version  of  a  boolean 
algebra”  is  exactly  what  Rasiowa  [BR57]  calls  “quasi  pseudo  Boolean  algebras” ,  that  is  distributive  lattices 
which  satisfy  the  axioms  of  strong  negation  restricted  to  Horn  logic. 

We  can  extend  the  idea  of  a  logic  program  algebra  to  a  significant  fragment  of  (third-order)  HHF.  In  our 
case  we  take  equality  (:^)  as  operational  equivalence  under  appropriate  run-time  contexts  [Har92];  for  every 
program  Vi^V2  (seen  as  conjunction  of  predicate  definitions)  which  satisfy  a  common  context  schema  <S,  for 
every  run-time  context  r;X>  <  <S  and  for  every  ground  G: 

Vic^V2  iff  {T;V\-v,GiflT;V\-v,G) 

Then  we  can  organize  the  set  of  (finite)  programs  into  a  boolean  algebra  under  union  ‘A’  (lub),  intersection 
V’  (gib),  complement  ‘Note’,  empty  program  T’  (zero)  and  universal  program  ‘±’  (one).  Corollary  6.34 
confirms  that  negation  is  boolean.  Moreover,  the  rules  for  Noto^Notn  have  been  engineered  to  respect  De 
Morgan’s  laws. 

It  could  be  interesting  to  study  the  applicability  of  those  ideas  to  modularity  of  higher-order  logic  pro¬ 
grams,  in  particular  to  the  modular  construction  of  knowledge-based  systems;  for  example  a  user  could 
collect  in  a  module  Vi  all  the  positive  knowledge  about  a  predicate  and  in  another,  say  V2^  all  the  negative 
ones  (that  is,  the  cases  where  the  predicate  does  not  hold).  This  is  useful  when  dealing  with  defaults  and 
exceptions.  The  system  would  be  able  to  compose  those  modules  via  boolean  manipulations. 

7.4.2  Strict  and  Vacuous  Variables 

It  is  our  contention  that  the  strict  A-calculus  we  have  introduced  to  formulate  term  complementation  has 
an  independent  interest  in  the  investigation  of  sub-structural  logics.  Not  only  our  types  system  is  simpler 
and  (we  claim)  more  elegant  than  the  ones  presented  in  the  literature  (reviewed  in  Section  3.3),  but  the 
introduction  of  the  notion  of  vacuous  variables  can  be  useful  in  a  variety  of  contexts,  beyond  strictness 
analysis.  In  fact,  Pfenning  [PfeOOb]  has  suggested  some  unexpected  usage  of  those  variables  in  type  theory; 
in  particular,  if  we  equip  a  linear  A-calculus  with  vacuous  variables,  this  will  permit  more  programs  under 
type  assignment.  For  example  consider  the  function  Xx  .\y  {\w  . y)  x,  which  is  traditionally  considered 

not  linear,  since  x  appears  twice;  nevertheless,  the  second  occurrence  is  vacuous  since  it  is  the  argument  of  a 
constant  function.  By  accounting  for  the  latter,  we  can  give  it  the  linear  type  A  -oB  -o(A  0  B).  This  carries 
over  to  the  study  of  explicit  substitutions  [ACCL91]  in  resource-conscious  A-calculi:  for  example,  in  [GPR98] 
and  refined  in  [CdPR99],  the  authors  propose  a  system  of  explicit  substitutions  for  intuitionistic  linear  logic 
over  unit,  lollipop,  tensor  and  bang,  where  variables  can  either  be  linear  or  intuitionistic.  The  calculus  is  not 
optimal  for  several  reasons,  to  start  with  the  need  for  commutative  conversions.  One  technical  issue  which 
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could  be  improved  is  the  substitution  “extension  operator”  which  accounts  for  term  to  be  substituted  and 
comes  in  three  flavors:  intuitionistic,  linear  and  ‘used’  linear,  to  mark  a  term  which  has  already  been  linearly 
substituted.  More  in  general  vacuous  (or  hidden)  variables  go  together  with  the  modality  of  hidden  types^ 
M  :  [A],  “  M  is  a  past  term  of  type  A”  [DPar],  which  as  the  adjoint  operation  of  the  traditional  54  necessity 
operator,  is  a  promising  tool  in  the  study  of  staged  computation  [DPar]  and  computational  irrelevance.  We 
plan  to  develop  such  a  calculus  and  verify  its  usefulness  in  those  areas. 
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